Apache Friends Support Forum

[Tyree]

I've been using XAMPP for years to play with website development and never had much issue. But, I have XAMPP installed on a computer in my office for a local intranet site (it can also be accessed from outside by employees).
Anyway, in the last couple weeks our internet bandwidth took a nose dive, and after some investigation, we found that the computer with XAMPP installed was flooding with tons of packets on various UDP ports (to the tune of approx. 100,000 every 20-30 seconds!). If we kill the httpd process (stop the apache server), then the UDP traffic stops. So, obviously there is something hacking or exploiting my server.

Has anyone else seen this before? How did you go about fixing it?

Thanks!
Matt

[Tyree]

OKay...I think I caught most of that. Short answer: format and reinstall. Nice.

How does one go about getting something like this on their machine? I've heard the terms before, I'm just ignorant of all the meanings and effects.

What did you mean by Xampp is uncertainly?

Thanks

[Altrea]

XAMPP is insecure by default and should not be used for production environments.
Never let the XAMPP components listen to internet requests without to know how you can harden them effectly.

[Tyree]

Understood....thanks!

[Sharley]

I've been using XAMPP for years to play with website development and never had much issue. But, I have XAMPP installed on a computer in my office for a local intranet site (it can also be accessed from outside by employees).
Anyway, in the last couple weeks our internet bandwidth took a nose dive, and after some investigation, we found that the computer with XAMPP installed was flooding with tons of packets on various UDP ports (to the tune of approx. 100,000 every 20-30 seconds!). If we kill the httpd process (stop the apache server), then the UDP traffic stops. So, obviously there is something hacking or exploiting my server.

Has anyone else seen this before? How did you go about fixing it?

Thanks!
Matt

I hope my post is not too late - before taking the drastic measure of format reinstall you can first look in the \xampp\apache\logs\access.log file and ascertain where this bot has planted it's files.

Usually you will find multiple files in the insecure webdav folder where there should be only 2 files.

If you format and install again without securing the webdav folder then it will happen again as it is now a well know exploit for XAMPP that has gone viral.

viewtopic.php?f=16&t=44140
viewtopic.php?p=172808#p172808

Securing this folder will go along way to preventing this type of exploit but as mentioned above a search of the Internet using windows apache hardening may give you some interesting reading.

BTW which version of XAMPP are you using?

Best wishes.

[Tyree]

Thanks very much for the info! I hadn't formatted yet. But it was on my list!

I will do some reading about this and see if I can get it locked down.

Is this a vulnerability of all apache servers, or just xampp?

I'm not sure which version I have installed. I'm not at the office to check it. it would have been the current version as of about 6 months ago.

I have the ability to use a microsoft iis server instead of xampp. I just don't like the php support on iis. It's too clunky and hard to configure. (not that I'm any sort of pro with apache).

Thanks again....you went a long way toward curing my ignorance!

[Tyree]

I hope my post is not too late - before taking the drastic measure of format reinstall you can first look in the \xampp\apache\logs\access.log file and ascertain where this bot has planted it's files.

Usually you will find multiple files in the insecure webdav folder where there should be only 2 files.

If you format and install again without securing the webdav folder then it will happen again as it is now a well know exploit for XAMPP that has gone viral.

viewtopic.php?f=16&t=44140
viewtopic.php?p=172808#p172808

Securing this folder will go along way to preventing this type of exploit but as mentioned above a search of the Internet using windows apache hardening may give you some interesting reading.

BTW which version of XAMPP are you using?

Best wishes.

Okay, I have deleted the hacker's files, renamed the webdav folder, AND commented the webdav include out of httpd.conf as suggested in the threads you linked to. The server is now running and I see no signs of the UDP attack in wireshark.

Are there any other safeguards I should take?

Oh, and my XAMPP install was 1.7.3.

Thanks!

[iamme]

I've been using XAMPP for years to play with website development and never had much issue. But, I have XAMPP installed on a computer in my office for a local intranet site (it can also be accessed from outside by employees).
Anyway, in the last couple weeks our internet bandwidth took a nose dive, and after some investigation, we found that the computer with XAMPP installed was flooding with tons of packets on various UDP ports (to the tune of approx. 100,000 every 20-30 seconds!). If we kill the httpd process (stop the apache server), then the UDP traffic stops. So, obviously there is something hacking or exploiting my server.

Has anyone else seen this before? How did you go about fixing it?

Thanks!
Matt

I hope my post is not too late - before taking the drastic measure of format reinstall you can first look in the \xampp\apache\logs\access.log file and ascertain where this bot has planted it's files.

Usually you will find multiple files in the insecure webdav folder where there should be only 2 files.

If you format and install again without securing the webdav folder then it will happen again as it is now a well know exploit for XAMPP that has gone viral.

viewtopic.php?f=16&t=44140
viewtopic.php?p=172808#p172808

Securing this folder will go along way to preventing this type of exploit but as mentioned above a search of the Internet using windows apache hardening may give you some interesting reading.

BTW which version of XAMPP are you using?

Best wishes.

Using a default username and password isn't an exploit... how many times do I need to say it.

[Tyree]

Actually, it is an exploit. It's an exploitation of the fact that the user hasn't changed the default password. An exploit doesn't have to be a hack. It's a point of entry or a programmatic flaw left undefended. So, this would, in fact, be the definition of an exploit.

[iamme]

No, it's an exploitation of stupidity. It isn't the softwares fault that You don't change the default set credentials. This won't be fixed and never will unless they stop setting default passwords.

[Tyree]

Get a dictionary and look up the word, "exploit," genius. There's also a difference between ignorance and stupidity. Look that up too.
And, who said it was the software's fault?

If you don't have anything helpful or knowledgeable to add to a conversation, just do everyone a favor and keep your opinions to yourself.
You probably have to say things more than once because no one wants to listen to your condescending arrogance.

[iamme]

Here's something useful.
Change your default webdav password.
Default usernames and passwords aren't an exploit by the common definition.

[Tyree]

Well, that's already been covered over a week ago and it's already done. Without the attitude, by some very helpful people. It's all part of the learning process. Now I know....see? I will never install XAMPP again with the webdav folder insecure. Ignorance has a cure.

[iamme]

You know a User can be added and Remote desktop enabled all through webdav yes?
Do you have a copy of any files the hacker uploaded?

[Sharley]

You know a User can be added and Remote desktop enabled all through webdav yes?

This topic may be a good read especially about what a remote connector in webdav can and can't do with regard to changing or creating a new user/pass combination:
viewtopic.php?f=16&t=38897

Do you have a copy of any files the hacker uploaded?

For what reasons are you requesting this information?

Others who have posted requests and even pointed out where this information is available have had their posts deleted for obvious XAMPP security issues for others who may no be so aware.

BTW, in version 1.7.4 and later versions this webdav exploitation of the default user/pass to insert or in any way shape or form hijack the server for devious reasons, is now closed and so should be this topic.