My Xampp Installation Got Hacked Twice

Problems with the Windows version of XAMPP, questions, comments, and anything related.

My Xampp Installation Got Hacked Twice

Postby HolyDuFF » 04. November 2010 05:49

Hey. I am new to xampp and i don't know very much about it. Anyway i installed xampp on my computer with "Windows 7 Home Premium x64" and 3 days later it got hacked. My antivirus program (ESET NOD32 Antivirus 4) said that httpd.exe was a trojan and another file called NEW.php. And right when it said it a cmd poped up and my computer restarted (I did remove the files before it restarted). After the restart there was a account called "ipbk" that was password protected. I restarted in safe mode and removed the account and then i logged in normaly. I got scared and i removed xampp and installed only Apache. I had Apache for 3 days and it didn't get hacked so i think it's something with xampp. After that i got my server computer and installed "Windows Server 2008 R2 x64" and i hopped it would fix the issues but i was wrong. I installed xampp on it and after 1 day it got hacked and this time it was worse. This time there was 2 other users "localhost" and "doxred" and the password to the administrator account was changed so i can't login :'( This time the antivirus program said that "shell.php" was a php trojan. If you know how to fix this please tell me. Also if you know how to login without a password. Ty.
HolyDuFF
 
Posts: 1
Joined: 04. November 2010 05:36

Re: My Xampp Installation Got Hacked Twice

Postby JonB » 04. November 2010 19:51

aside from any other comment -

The reason you got hacked is you failed to secure your installation before you decided to summarily turn on port-forwarding or eanble a Server DMZ.
As to why standalone Apache wasn't hacked - There isn't anything TO hack on Apache - other than possible disfiguring a web page. Now if you had installed MySQL and phpMyAdmin and integrated them, the result would proaobly have been the same.

Before you start with XAMPP again (turn off port forwarding on your router) SECURE XAMMP!
There's a built in Page to secure the basic XAMMP - be SURE to check the tickboxes.

http://localhost/security/

and

http://localhost/security/xamppsecurity.php

As for the password - Here's an FAQ' on how to reset the MySQL root password. (I'm guessing that is the password you are referring to)
http://bravo.newnetenterprises.com/word ... age_id=254

Now, would you stick your hand blindly into a running car's engine compartment? (prolly better if you don't answer).

For now, until you learn a bit about security - Don't run XAMPP with router port-forwarding OR DMZ on.

As for XAMPP - all Apache versions come from the exact same core source code from the Apache Software Foundation, so they are almost exactly the same in how they work (other than Operating System differences) - but they can be configured differently. The only current problem with XAMPP is your failure to READ their FAQ's:

The philosophy
The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment.

All friendly and accurate advice gievn freely and it is all My Flippin' Opinion :mrgreen:
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: My Xampp Installation Got Hacked Twice

Postby Hackknot » 06. November 2010 04:52

@HolyDuFF
You aren't the first XAMPP user to be hacked, nor will you be the last. As JonB said, if you don't RTFM and secure your server, that's what happens with XAMPP. And it happens way too often.

@jonB
I think you are making a lot of false assumptions about the people who are installing XAMPP. I'll bet next weeks paycheck that HolyDuFF didn't 'turn on port-forwarding' or 'enable a Server DMZ'. I suspect (s)he doesn't have a clue what that means, or how to do it. I would even go so far as to say that a significant number (let's say 30%?) of people who download and install XAMPP don't know what a DMZ is. Many just download, install..click, futz...tweak..there it works....I'm connected to the internet...that was easy. Oh crap...then I got hacked :cry:

The philosophy
The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment.

Problem is, saying please just isn't working. People are exposing XAMPP servers to the internet, using default security options. That is a fact.
Out of the box, the defaults for XAMPP are insecure and not suitable for production. You know that. I know that. The documentation says that. And people keep deploying XAMPP with open, Googleable PhPMyAdmin, Webalizer and XAMPP pages. And hackers keep browsing to PhPMyAdmin and running 'select 'badstuff' into outfile 'c:\\xampp\\phpMyAdmin\\nastygram.php'. And then they ownz the site. With admin privs. If the site isn't behind an appropriate firewall, it's trivial to then grant RDP access to the machine. Then you really ownz it, and the entire network it's connected to. That's a bad thing. And it's XAMPP that is making it just a bit too easy.

It's all well and good to tell the site owners that get hacked that it's their fault. What did you expect when you 'turned on port-forwarding' and 'enable a Server DMZ'? Didn't you RTFM? Didn't you check the tickboxes on the security page?

But it's a predictable failure. And it keeps failing.

Using just Google, you can turn up a few vulnerable XAMPP sites with open PhPMyAdmin pages, every week. Week after week. Year after year. That's what predictable failure means...it keeps happening over and over and over again. And JonB will keep saying it's your fault, it's your fault, it's your fault.

It's time to stop blaming the user. XAMPP users don't get hacked because they are stupid. XAMPP users get hacked because the default install options are stupid. Security has to be an opt-out option, not an opt-in option. It's 2010. *AMP* servers are a commodity item. They need to be secure by default. Otherwise you have a predicable failure. I have a rather long list of vulnerable XAMPP sites that prove that the prediction is right. Would you like me to publish it?
Hackknot
 
Posts: 1
Joined: 06. November 2010 03:52

Re: My Xampp Installation Got Hacked Twice

Postby JonB » 06. November 2010 15:57

A - Number ONE - I didn't develop XAMMP so if you have a problem with the philosophy behind it OR WAMP (same idea) then vent on the developers. I merely answer questions for free, based on my 25+ years of being a systems engineer and developer. My answers are accurate and timely, and if I am unsure of the fact or its a 'best guess' - I'll say that right in the post. ANY questions on that????

OK, now - let me respond to this part -

I'll bet next weeks paycheck that HolyDuFF didn't 'turn on port-forwarding' or 'enable a Server DMZ'.


Please tell me how XAMPP installed on any machine that is attached to the internet by a router - that does not have port-forwarding or DMZ enabled can be hacked. Part of the function of a router is to prevent unwanted inbound trafifc, if you install the default XAMMP and you have a router - there IS no way for the inbound HTTP request to be routed to the XAMPP server on the LAN.

There IS one way a default XAMMP install can be hacked - you have to have a NIC that goes right onto the internet (for instance via a DSL Modem) AND no router AND it must have its firewall turned off or an active exception chosen for XAMPP. Please comment on users that run like that???

In each case the user must actively chose to expose the HTTP server.

There's no other way to expose the server, if there is-- please educate me. I don't think you want to bet that paycheck you just talked about. I'm waiting for the explanation Hackknot.

Now lets talk about the HACKING side - MySQL is the hacking problem - and GUESS WHAT - every installation of MySQL starts with an UNSECURED root. I guess you better ring up ORACLE and vent on them. You could write a routine to cause it (after installation) to set the root PW - but it would be a known default wouldn't it? (or so complicated these same users wouldn't understand).

http://books.google.com/books?id=jwlZLb ... &q&f=false

FINALLY - In the default XAMMP Installation - anyone who is NOT on your local network can't access either the phpMyAdmin, XAMMP folder or other places you can hack due to the "XAMMP Security Concept" which uses a regex to parse the HTTP request's 'Location' - and then allows only NON-ROUTABLE (reserved for LAN traffic) IP's. Again the user HAS to disable that for anyone to be able to access any of the URL segments listed; they either have to ADD domains. host names or IP's to the Allow list, OR they have to remove that part of the Apache configuration.

That should suffice for a response.

BTW - since you are apparently an expert - why don't you start answering questions for folks or try writing a guide - like I did???
read this - The Basics Of XAMMP Security
http://bravo.newnetenterprises.com/word ... age_id=387

:shock:
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: My Xampp Installation Got Hacked Twice

Postby bryanboova » 29. November 2010 01:19

John,

You're the man. This guide page is a tremendous help.
bryanboova
 
Posts: 1
Joined: 29. November 2010 01:08


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 54 guests