Server Under Attack? UDP packet flooding. [SOLVED]

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Server Under Attack? UDP packet flooding. [SOLVED]

Postby Tyree » 02. April 2011 15:10

I've been using XAMPP for years to play with website development and never had much issue. But, I have XAMPP installed on a computer in my office for a local intranet site (it can also be accessed from outside by employees).
Anyway, in the last couple weeks our internet bandwidth took a nose dive, and after some investigation, we found that the computer with XAMPP installed was flooding with tons of packets on various UDP ports (to the tune of approx. 100,000 every 20-30 seconds!). If we kill the httpd process (stop the apache server), then the UDP traffic stops. So, obviously there is something hacking or exploiting my server.

Has anyone else seen this before? How did you go about fixing it?

Thanks!
Matt
Last edited by Tyree on 12. April 2011 11:32, edited 1 time in total.
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 02. April 2011 18:32

OKay...I think I caught most of that. Short answer: format and reinstall. Nice.

How does one go about getting something like this on their machine? I've heard the terms before, I'm just ignorant of all the meanings and effects.

What did you mean by Xampp is uncertainly?

Thanks
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby Altrea » 02. April 2011 18:40

XAMPP is insecure by default and should not be used for production environments.
Never let the XAMPP components listen to internet requests without to know how you can harden them effectly.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8293
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 02. April 2011 18:59

Understood....thanks!
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby Sharley » 03. April 2011 03:44

Tyree wrote:I've been using XAMPP for years to play with website development and never had much issue. But, I have XAMPP installed on a computer in my office for a local intranet site (it can also be accessed from outside by employees).
Anyway, in the last couple weeks our internet bandwidth took a nose dive, and after some investigation, we found that the computer with XAMPP installed was flooding with tons of packets on various UDP ports (to the tune of approx. 100,000 every 20-30 seconds!). If we kill the httpd process (stop the apache server), then the UDP traffic stops. So, obviously there is something hacking or exploiting my server.

Has anyone else seen this before? How did you go about fixing it?

Thanks!
Matt
I hope my post is not too late - before taking the drastic measure of format reinstall you can first look in the \xampp\apache\logs\access.log file and ascertain where this bot has planted it's files.

Usually you will find multiple files in the insecure webdav folder where there should be only 2 files.

If you format and install again without securing the webdav folder then it will happen again as it is now a well know exploit for XAMPP that has gone viral.

viewtopic.php?f=16&t=44140
viewtopic.php?p=172808#p172808

Securing this folder will go along way to preventing this type of exploit but as mentioned above a search of the Internet using windows apache hardening may give you some interesting reading.

BTW which version of XAMPP are you using?

Best wishes.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 03. April 2011 12:00

Thanks very much for the info! I hadn't formatted yet. But it was on my list!

I will do some reading about this and see if I can get it locked down.

Is this a vulnerability of all apache servers, or just xampp?

I'm not sure which version I have installed. I'm not at the office to check it. it would have been the current version as of about 6 months ago.

I have the ability to use a microsoft iis server instead of xampp. I just don't like the php support on iis. It's too clunky and hard to configure. (not that I'm any sort of pro with apache).

Thanks again....you went a long way toward curing my ignorance! :)
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 03. April 2011 13:31

Sharley wrote:I hope my post is not too late - before taking the drastic measure of format reinstall you can first look in the \xampp\apache\logs\access.log file and ascertain where this bot has planted it's files.

Usually you will find multiple files in the insecure webdav folder where there should be only 2 files.

If you format and install again without securing the webdav folder then it will happen again as it is now a well know exploit for XAMPP that has gone viral.

viewtopic.php?f=16&t=44140
viewtopic.php?p=172808#p172808

Securing this folder will go along way to preventing this type of exploit but as mentioned above a search of the Internet using windows apache hardening may give you some interesting reading.

BTW which version of XAMPP are you using?

Best wishes.

Okay, I have deleted the hacker's files, renamed the webdav folder, AND commented the webdav include out of httpd.conf as suggested in the threads you linked to. The server is now running and I see no signs of the UDP attack in wireshark.

Are there any other safeguards I should take?

Oh, and my XAMPP install was 1.7.3.

Thanks!
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby iamme » 11. April 2011 16:42

Sharley wrote:
Tyree wrote:I've been using XAMPP for years to play with website development and never had much issue. But, I have XAMPP installed on a computer in my office for a local intranet site (it can also be accessed from outside by employees).
Anyway, in the last couple weeks our internet bandwidth took a nose dive, and after some investigation, we found that the computer with XAMPP installed was flooding with tons of packets on various UDP ports (to the tune of approx. 100,000 every 20-30 seconds!). If we kill the httpd process (stop the apache server), then the UDP traffic stops. So, obviously there is something hacking or exploiting my server.

Has anyone else seen this before? How did you go about fixing it?

Thanks!
Matt
I hope my post is not too late - before taking the drastic measure of format reinstall you can first look in the \xampp\apache\logs\access.log file and ascertain where this bot has planted it's files.

Usually you will find multiple files in the insecure webdav folder where there should be only 2 files.

If you format and install again without securing the webdav folder then it will happen again as it is now a well know exploit for XAMPP that has gone viral.

viewtopic.php?f=16&t=44140
viewtopic.php?p=172808#p172808

Securing this folder will go along way to preventing this type of exploit but as mentioned above a search of the Internet using windows apache hardening may give you some interesting reading.

BTW which version of XAMPP are you using?

Best wishes.

Using a default username and password isn't an exploit... how many times do I need to say it.
iamme
 
Posts: 5
Joined: 11. April 2011 16:35

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 11. April 2011 17:19

Actually, it is an exploit. It's an exploitation of the fact that the user hasn't changed the default password. An exploit doesn't have to be a hack. It's a point of entry or a programmatic flaw left undefended. So, this would, in fact, be the definition of an exploit.
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby iamme » 11. April 2011 23:25

No, it's an exploitation of stupidity. It isn't the softwares fault that You don't change the default set credentials. This won't be fixed and never will unless they stop setting default passwords.
iamme
 
Posts: 5
Joined: 11. April 2011 16:35

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 12. April 2011 00:17

Get a dictionary and look up the word, "exploit," genius. There's also a difference between ignorance and stupidity. Look that up too.
And, who said it was the software's fault?

If you don't have anything helpful or knowledgeable to add to a conversation, just do everyone a favor and keep your opinions to yourself.
You probably have to say things more than once because no one wants to listen to your condescending arrogance.
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby iamme » 12. April 2011 00:24

Here's something useful.
Change your default webdav password. :P
Default usernames and passwords aren't an exploit by the common definition.
iamme
 
Posts: 5
Joined: 11. April 2011 16:35

Re: Server Under Attack? UDP packet flooding.

Postby Tyree » 12. April 2011 00:35

Well, that's already been covered over a week ago and it's already done. Without the attitude, by some very helpful people. It's all part of the learning process. Now I know....see? I will never install XAMPP again with the webdav folder insecure. Ignorance has a cure.
Tyree
 
Posts: 27
Joined: 10. September 2009 03:02

Re: Server Under Attack? UDP packet flooding.

Postby iamme » 12. April 2011 03:16

You know a User can be added and Remote desktop enabled all through webdav yes?
Do you have a copy of any files the hacker uploaded?
iamme
 
Posts: 5
Joined: 11. April 2011 16:35

Re: Server Under Attack? UDP packet flooding.

Postby Sharley » 12. April 2011 06:54

iamme wrote:You know a User can be added and Remote desktop enabled all through webdav yes?
This topic may be a good read especially about what a remote connector in webdav can and can't do with regard to changing or creating a new user/pass combination:
viewtopic.php?f=16&t=38897
iamme wrote:Do you have a copy of any files the hacker uploaded?
For what reasons are you requesting this information?

Others who have posted requests and even pointed out where this information is available have had their posts deleted for obvious XAMPP security issues for others who may no be so aware.

BTW, in version 1.7.4 and later versions this webdav exploitation of the default user/pass to insert or in any way shape or form hijack the server for devious reasons, is now closed and so should be this topic.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Next

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 57 guests

cron