Urgent: XAMPP Apache constantly being pinged

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Urgent: XAMPP Apache constantly being pinged

Postby Wolfy9247 » 18. January 2011 23:44

Code: Select all
75.102.34.50 - - [18/Jan/2011:16:26:10 -0600] "GET /webdav/sip.php?&IP=89.202.184 HTTP/1.1" 200 146 "-" "Opera/9.21 (Windows NT 5.1; U; en)"


It seems I've been trying to have that IP access my domain recently, and it's been annoying as it'll just try over and over every second it has to access. I have to literally get onto the server and shut off Apache or else it's stuck at 100% CPU Usage whenever this is happening. I've tried contacting the source of the IP, but um, from what I've seen I can't get a hold of them so it's not much use there. Is there any way to block this IP from accessing ANY directory on my server? -- I've tried blocking from .htaccess, but that didn't seem to last long.

Thanks!
Image
Wolfy9247
 
Posts: 3
Joined: 18. January 2011 23:39
Location: San Marcos, TX

Re: Urgent: XAMPP Apache constantly being pinged

Postby Sharley » 18. January 2011 23:48

Look in the \xampp\webdav folder - there should be only 2 files index.html and webdav.exe.

If you have more then you have been hacked.

If you are not using webdav then delete or rename the folder.

This should close the hole.

viewtopic.php?f=16&t=43824
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Urgent: XAMPP Apache constantly being pinged

Postby Wolfy9247 » 18. January 2011 23:54

Sharley wrote:Look in the \xampp\webdav folder - there should be only 2 files index.html and webdav.exe.

If you have more then you have been hacked.

If you are not using webdav then delete or rename the folder.

This should close the hole.

Index of xampp/webdav
cpass.php (1KB)
hxampp.php (1KB)
index.html (1KB)
sip.php (2KB)
sxampp.php (1KB)
uxampp.php (1KB)
webdav.txt (1KB)

I'll probably just remove the directory as if I'm not using it, there's likely no use it in for my purposes. [s]May I ask if there's still anyway to block this IP from accessing my IP at all?[/s]

I'll take a look at that post!

Thanks!
Image
Wolfy9247
 
Posts: 3
Joined: 18. January 2011 23:39
Location: San Marcos, TX

Re: Urgent: XAMPP Apache constantly being pinged

Postby Sharley » 19. January 2011 00:06

Looks like you were hacked - the offender will go away once it is know that the webdav folder is gone.

You can deny access to this IP by creating a .htaccess file and place (save) it the web root folder of your site.

Add entries like so:
Code: Select all
deny from 75.102.34.50

If you want to block the range (CIDR) of IPs that this user can use then add the entry like so
Code: Select all
deny from 75.102.34.0/24

Use http://centralops.net/co/DomainDossier.aspx to find out all about this IP and what the range of IPs are.

Use Google to find out about 'deny from' and .htaccess syntax.

Good luck, stay safe and best wishes.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Urgent: XAMPP Apache constantly being pinged

Postby Wolfy9247 » 19. January 2011 00:18

Sharley wrote:Looks like you were hacked - the offender will go away once it is know that the webdav folder is gone.

You can deny access to this IP by creating a .htaccess file and place (save) it the web root folder of your site.

Add entries like so:
Code: Select all
deny from 75.102.34.50

If you want to block the range (CIDR) of IPs that this user can use then add the entry like so
Code: Select all
deny from 75.102.34.0/24

Use http://centralops.net/co/DomainDossier.aspx to find out all about this IP and what the range of IPs are.

Use Google to find out about 'deny from' and .htaccess syntax.

Good luck and best wishes.

I had already added the "deny from" the other day, but I didn't know about the range of IP's trick -- Thanks again!
Image
Wolfy9247
 
Posts: 3
Joined: 18. January 2011 23:39
Location: San Marcos, TX

Re: Urgent: XAMPP Apache constantly being pinged

Postby peterwt » 19. January 2011 00:59

It would be interesting to see what had been uploaded to your webdav folder. it would we wise to look at the php files there as they will have been placed there by the hacker. It might show that a key logger or other trojan has been installed already.

To anyone else reading this then you should be aware that if you make apache open to the world the webdav is likely to be probed. It is installed by default with default user and default password, so either delete the webdav folder in xampp or change the webdav password.

Peter
Peter
peterwt
 
Posts: 42
Joined: 17. March 2009 11:06
Operating System: Windows 7 64 bit Professional

Re: Urgent: XAMPP Apache constantly being pinged

Postby Sharley » 19. January 2011 01:07

Peter, the OP did mention what files had been uploaded to the webdav folder and he quite rightly refrained from revealing their contents here, which will help to prevent the proliferation of this type of hack, at least emanating from this forum.

Also if you had followed the link in my first reply it would have revealed a method by which to change the password, conspicuously omitted from your reply, the changing of which is easier said than done.

Before replying in a topic, an advanced forum search to see what else has been posted about the particular topic may also be rewarding especially after reading all that had already been posted here and by following the posted links.


Another solution to this, that you missed in your reply, is the inclusion of the webdav folder to the list of folders already in the \xampp\apache\conf\extra\httpd-xampp.conf file under the New XAMPP security concept section, which would only permit local access with a 403 error to any other type of access.

Using a text editor, at the end of the LocationMatch list simply add |webdav - save the file and then restart Apache to have your edits recognized.


Here's more for advanced server administrators to peruse.
You can turn off webdav by editing the \xampp\apache\conf\extra\httpd-dav.conf file and changing this line to read
Code: Select all
<Directory "/xampp/webdav">
    Dav OFF
Even to comment out this line in the httpd.conf file so it looks like this...
Code: Select all
# Distributed authoring and versioning (WebDAV)
# Include "conf/extra/httpd-dav.conf"
...then Apache won't even know about webdav and if you also include the deleting of \xampp\security\webdav.htpasswd file then the folder becomes superfluous in the hack equation.

So the old idiom of "There's always more than one way to skin a cat" rings true once more in the case of closing the webdav hole:
http://www.worldwidewords.org/qa/qa-mor1.htm
http://idioms.thefreedictionary.com/The ... skin+a+cat


Finally, if some kind soul would create a bug report so that the developers can attend to this increasingly used security hole, so it is not On by default, then the less informed XAMPP users about the hardening of the Apache web server can only benefit and be kept a little more safe.

You can sign-up for a new account at the XAMPP bug tracker here...

http://bugs.xampp.org/my_view_page.php

...and if the issue has already been reported then you can add notes relative to your own webdav exploit experience or if you have more information that may assist the developers further their knowledge of this serious security hole.

There may already be hundreds if not thousands of webdav exploited XAMPP installations out there, acting as zombies, that users may not even be aware off.

Please stay safe and good luck to all our forum readers. :)
Last edited by Sharley on 20. January 2011 06:50, edited 1 time in total.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Urgent: XAMPP Apache constantly being pinged

Postby Sharley » 20. January 2011 03:21

So reading this topic and instigating the counter measures posted above to close this WebDAV weakness has now been made even more of an emergency requirement - everyone should check their \xampp\webdav folder and do it now!!!

Please don't post your WAN IP openly in these forums until this exploit has been extinguished as the Apache Friends Support Forum can now become an easy source for XAMPP users Internet IPs - if requested for an IP to help troubleshoot an issue then pass it via the forum's Personal Message (PM) feature only.

Stay safe.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Urgent: XAMPP Apache constantly being pinged

Postby SuperfineSumo » 08. April 2011 15:46

Thanks Sharley!

I have taken the above steps to secure my webserver after being infected. My question is regarding the files in my webdav folder. Is taking the precautionary measures above and deleting the files enough or have those files installed some sort of rootkit the I will have to continue worrying about?
SuperfineSumo
 
Posts: 2
Joined: 08. April 2011 15:40

Re: Urgent: XAMPP Apache constantly being pinged

Postby Sharley » 09. April 2011 01:24

@SuperfineSumo

As far as I can tell once you have deleted the files and secured the webdav folder then that should be the end of it.

However as in all things computer security related download an anti-rootkit utility, of which I am sure there will be many and some may even be freeware and/or portable apps., to give your system a good going over just to give you peace of mind.

Best wishes.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Urgent: XAMPP Apache constantly being pinged

Postby peterwt » 10. April 2011 13:25

SuperfineSumo - You should be aware that when the hacker gained access to your webdav directory, using the default user and password, files other than those you saw may have been uploaded. The hacker could have loaded scripts, executed then, and then deleted them. Files could also have been moved from webdav to other folders. So check other folders for scripts and run antivirus to look for viruses and trojans.

Peter
Peter
peterwt
 
Posts: 42
Joined: 17. March 2009 11:06
Operating System: Windows 7 64 bit Professional

Re: Urgent: XAMPP Apache constantly being pinged

Postby SuperfineSumo » 11. April 2011 14:38

I have run a host of AV, malware, and anti-rootkit clients and have not found a thing. The server has not had a spike in mem usage or CPU Utilization since I found this forum and instituted the changes suggested. Currently, I'm hoping for the best. Thanks!
SuperfineSumo
 
Posts: 2
Joined: 08. April 2011 15:40


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 51 guests