Webdav Bug.

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Webdav Bug.

Postby Gollenz » 07. January 2011 00:33

Someone hacked my site, and installed a script that was using my server zombie attacks to UDP.
Scripts were installed in the "webdav" and I deleted it and stopped the attacks.
I was wondering if anyone knows to fix this bug, or else block the "webdav" folder.

Thanks.
Gollenz
 
Posts: 3
Joined: 07. January 2011 00:24

Re: Webdav Bug.

Postby JonB » 07. January 2011 00:47

Read Izzy's comments in this post -

viewtopic.php?f=16&t=38897

Good luck
:)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: Webdav Bug.

Postby Sharley » 07. January 2011 01:17

Good forum search find Jon :) - it really does pay to always search the forums before posting for the first time.

Gollenz wrote:I was wondering if anyone knows to fix this bug
You might like to report this security bug here:
http://bugs.xampp.org/my_view_page.php

Reporting it and explaining that the default XAMPP settings for webdav are now a security issue which has now gone wild on the Internet - many more exploits will surely follow.

This may have the effect of bringing it to the attention of the developers, if they don't already know and also in helping others in the future who may not even know they can get hacked in this way.

Thanks and good luck.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Webdav Bug.

Postby Gollenz » 07. January 2011 01:25

I could not. =(
I do not know exactly what role the folder "webdav".
What is its utility within the site?
Does anyone know how to block it?

Thanks.
Gollenz
 
Posts: 3
Joined: 07. January 2011 00:24

Re: Webdav Bug.

Postby Sharley » 07. January 2011 01:55

If you are not using WebDAV then simply delete the \xampp\webdav folder.

This exploit is now becoming popular with script kiddies and reporting it along with following the above may go along way to stamping out this issue.

What is webdav

Hope this helps with this security hole issue.

Good luck and best wishes.
Last edited by Sharley on 20. January 2011 06:48, edited 1 time in total.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Webdav Bug.

Postby lmeurs » 19. January 2011 14:39

Hi,

The same happened to me today. A slow internet connection got my attention, since I just connected the XAMPP server to the internet I turned it off immediately. The connection speed was back to normal. Through the logs I found out that someone had been calling scripts in the webdav folder. Since I never had heard of webdav I compared the folder to a backup of the folder and found out that the exploit had added these scripts (pm me and I will mail you the scripts):

- xammp/webdav/cpass.php
- xammp/webdav/hxampp.php
- xammp/webdav/sxampp.php
- xammp/webdav/uxampp.php
- xammp/webdav/sip.php

But also:

- xammp/security/webdav.htpasswd

The logs told me that:

- hxampp.php, sxampp.php and uxampp.php only have been uploaded
- cpass.php has been uploaded and only called once
- sip.php has been called many times

Exploring the scripts learned me:

- cpass.php has created the webdav.htpasswd file
- sip.php has searched a lot of IP subnets for servers with:
* 'Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14' or
* 'Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12'

This only happened for 5 minutes, then I disconnected the webserver from WAN calls. Afterwards I prevented my server from this exploit by renaming the folders:

- htdocs (I use another folder for my webroot),
- security (I do not use SSL on my local machine) and
- webdav (I do not use webdav).

I also commented all the webdav directives in httpd.conf as well.

DOES ANYONE KNOW IF ANYMORE (REAL) HARM IS DONE? Norton is deep scanning my pc, so far so good!
lmeurs
 
Posts: 1
Joined: 19. January 2011 14:22

Re: Webdav Bug.

Postby Sharley » 20. January 2011 03:28

For even more counter measures read this topic:
viewtopic.php?f=16&t=44140
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 43 guests