You aren't the first XAMPP user to be hacked, nor will you be the last. As JonB said, if you don't RTFM and secure your server, that's what happens with XAMPP. And it happens way too often.
I think you are making a lot of false assumptions about the people who are installing XAMPP. I'll bet next weeks paycheck that HolyDuFF didn't 'turn on port-forwarding' or 'enable a Server DMZ'. I suspect (s)he doesn't have a clue what that means, or how to do it. I would even go so far as to say that a significant number (let's say 30%?) of people who download and install XAMPP don't know what a DMZ is. Many just download, install..click, futz...tweak..there it works....I'm connected to the internet...that was easy. Oh crap...then I got hacked The philosophy
The philosophy behind XAMPP is to build an easy to install distribution for developers
to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on. The default configuration is not good from a securtiy point of view
and it's not secure enough for a production environment - please don't use XAMPP in such environment.
Problem is, saying please just isn't working. People are exposing XAMPP servers to the internet, using default security options. That is a fact.
Out of the box, the defaults for XAMPP are insecure and not suitable for production. You know that. I know that. The documentation says that. And people keep deploying XAMPP with open, Googleable PhPMyAdmin, Webalizer and XAMPP pages. And hackers keep browsing to PhPMyAdmin and running 'select 'badstuff' into outfile 'c:\\xampp\\phpMyAdmin\\nastygram.php'. And then they ownz the site. With admin privs. If the site isn't behind an appropriate firewall, it's trivial to then grant RDP access to the machine. Then you really ownz it, and the entire network it's connected to. That's a bad thing.
And it's XAMPP that is making it just a bit too easy.
It's all well and good to tell the site owners that get hacked that it's their fault. What did you expect when you 'turned on port-forwarding' and 'enable a Server DMZ'? Didn't you RTFM? Didn't you check the tickboxes on the security page?
But it's a predictable failure. And it keeps failing.
Using just Google, you can turn up a few vulnerable XAMPP sites with open PhPMyAdmin pages, every week. Week after week. Year after year. That's what predictable failure means...it keeps happening over and over and over again. And JonB will keep saying it's your fault, it's your fault, it's your fault.
It's time to stop blaming the user. XAMPP users don't get hacked because they are stupid. XAMPP users get hacked because the default install options are stupid. Security has to be an opt-out option, not an opt-in option. It's 2010. *AMP* servers are a commodity item. They need to be secure by default. Otherwise you have a predicable failure. I have a rather long list of vulnerable XAMPP sites that prove that the prediction is right. Would you like me to publish it?