Apache Friends Support Forum

[Gollenz]

Someone hacked my site, and installed a script that was using my server zombie attacks to UDP.
Scripts were installed in the "webdav" and I deleted it and stopped the attacks.
I was wondering if anyone knows to fix this bug, or else block the "webdav" folder.

Thanks.

[JonB]

Read Izzy's comments in this post -

viewtopic.php?f=16&t=38897

Good luck

[Sharley]

Good forum search find Jon - it really does pay to always search the forums before posting for the first time.

I was wondering if anyone knows to fix this bug

You might like to report this security bug here:
http://bugs.xampp.org/my_view_page.php

Reporting it and explaining that the default XAMPP settings for webdav are now a security issue which has now gone wild on the Internet - many more exploits will surely follow.

This may have the effect of bringing it to the attention of the developers, if they don't already know and also in helping others in the future who may not even know they can get hacked in this way.

Thanks and good luck.

[Gollenz]

I could not. =(
I do not know exactly what role the folder "webdav".
What is its utility within the site?
Does anyone know how to block it?

Thanks.

[Sharley]

If you are not using WebDAV then simply delete the \xampp\webdav folder.

This exploit is now becoming popular with script kiddies and reporting it along with following the above may go along way to stamping out this issue.

What is webdav

Hope this helps with this security hole issue.

Good luck and best wishes.

[lmeurs]

Hi,

The same happened to me today. A slow internet connection got my attention, since I just connected the XAMPP server to the internet I turned it off immediately. The connection speed was back to normal. Through the logs I found out that someone had been calling scripts in the webdav folder. Since I never had heard of webdav I compared the folder to a backup of the folder and found out that the exploit had added these scripts (pm me and I will mail you the scripts):

- xammp/webdav/cpass.php
- xammp/webdav/hxampp.php
- xammp/webdav/sxampp.php
- xammp/webdav/uxampp.php
- xammp/webdav/sip.php

But also:

- xammp/security/webdav.htpasswd

The logs told me that:

- hxampp.php, sxampp.php and uxampp.php only have been uploaded
- cpass.php has been uploaded and only called once
- sip.php has been called many times

Exploring the scripts learned me:

- cpass.php has created the webdav.htpasswd file
- sip.php has searched a lot of IP subnets for servers with:
* 'Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14' or
* 'Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12'

This only happened for 5 minutes, then I disconnected the webserver from WAN calls. Afterwards I prevented my server from this exploit by renaming the folders:

- htdocs (I use another folder for my webroot),
- security (I do not use SSL on my local machine) and
- webdav (I do not use webdav).

I also commented all the webdav directives in httpd.conf as well.

DOES ANYONE KNOW IF ANYMORE (REAL) HARM IS DONE? Norton is deep scanning my pc, so far so good!

[Sharley]

For even more counter measures read this topic:
viewtopic.php?f=16&t=44140