New worm exploiting Xampp?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

New worm exploiting Xampp?

Postby WhiteShepherd » 23. October 2008 22:22

Just a heads up. There may be a new worm that exploits Xampp's default install of phpmyadmin?

At first I thought this was an attack was from a single attacker. But I am seeing the # of attacks increase from more and more IPs.

I have renamed phpMYAdmin directory and blocked access in the .conf file until this passes.

So do users think this is a worm or just attack? I've tracked 6 IPs so far to try and hit.

Here his a example cut of the apache logs:

0.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=proctor HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=bond HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=lives HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=zzzzzz HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=jjjjjj HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=spicey2000 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=mmmmmmm2000 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=darb HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=craft HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=iiiii HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=lennie HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=chronos HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=quick HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=forge HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=bbbbbsssss HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=1944 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=ilulluli HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
WhiteShepherd
 
Posts: 4
Joined: 17. August 2008 19:40
Location: Ohio

Postby Sharley » 24. October 2008 01:48

Thanks for the heads up but should be of no major concerns especially if you have a firewall installed.

The response is 403 Access Forbidden - which shows that your installation is safe and protected for this kind of intrusion.

Also if you have user pma set to the defaults - no pass and only shut down privileges - then even if the worm, or what ever it is, gains access, then the pma user can only close the running phpMyAdmin instance...

...but if the intruder can gain access to the phpMyAdmin folder then you would also be vulnerable to the hacker gaining access to other parts of your system and doing untold damage.

Install a good firewall like the free Comodo offering and when correctly configured would look after your intrusion concerns.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 80 guests