Apache Friends Support Forum


https://community.apachefriends.org/f/

New worm exploiting Xampp?

https://community.apachefriends.org/f/viewtopic.php?f=16&t=31714

Page 1 of 1

New worm exploiting Xampp?

PostPosted: 23. October 2008 22:22
by WhiteShepherd
Just a heads up. There may be a new worm that exploits Xampp's default install of phpmyadmin?

At first I thought this was an attack was from a single attacker. But I am seeing the # of attacks increase from more and more IPs.

I have renamed phpMYAdmin directory and blocked access in the .conf file until this passes.

So do users think this is a worm or just attack? I've tracked 6 IPs so far to try and hit.

Here his a example cut of the apache logs:

0.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=proctor HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=bond HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=lives HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=zzzzzz HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=jjjjjj HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=spicey2000 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=mmmmmmm2000 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=darb HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=craft HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=iiiii HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=lennie HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=chronos HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=quick HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=forge HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=bbbbbsssss HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=1944 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=ilulluli HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

PostPosted: 24. October 2008 01:48
by Sharley
Thanks for the heads up but should be of no major concerns especially if you have a firewall installed.

The response is 403 Access Forbidden - which shows that your installation is safe and protected for this kind of intrusion.

Also if you have user pma set to the defaults - no pass and only shut down privileges - then even if the worm, or what ever it is, gains access, then the pma user can only close the running phpMyAdmin instance...

...but if the intruder can gain access to the phpMyAdmin folder then you would also be vulnerable to the hacker gaining access to other parts of your system and doing untold damage.

Install a good firewall like the free Comodo offering and when correctly configured would look after your intrusion concerns.
All times are UTC + 1 hour
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/