Hello,
I am running xampp 1.7.7, and I believe I have just acquired some sort of virus/worm through Apache.
After many months of reliability, Apache started to drop out pretty regularly (5-10 times per day) requiring a restart each time.
In the error.log file, I found tens of thousands of entries like this:
[Thu Feb 14 15:35:25 2013] [error] [client 5.135.153.51] script 'C:/xampp/htdocs/lol.php' not found or unable to stat
These are coming from two IP addresses(both from an ISP in France) and they have been occurring over the last few days. At certain times of day, these requests are coming in about 10 per second. The error.log file has grown to over 220 Mb, with 99% of that being these types of entries just from the past few days.
I found the following unknown files in the xampp/htdocs/ dir (which I have not put there myself) : lol.php, 121.php, fun.php, in2.php, and Holys.exe
I am not an expert on viruses by any means, but the contents of lol.php appears to be a script that searches out other computers to infect. I can post the files themselves if anyone is interested.
I have removed those files, but I am still receiving thousands of requests to access the lol.php file at several points throughout the day.
I have tried google search, but have uncovered nothing relevant to this problem.
Any help would be greatly appreciated!
Thank you.
New Apache Virus?
2 posts
• Page 1 of 1
New Apache Virus?
by begreen » 15. February 2013 20:44
- begreen
- Posts: 1
- Joined: 15. February 2013 20:23
- Operating System: Windows XP SP3
Re: New Apache Virus?
by JonB » 18. February 2013 18:08
Well this might be one of the reasons we suggest you not use XAMPP for production purposes...
Your server was not properly secured 'obviously' - if those files found their way onto your server.
The reason for all the requests is there are still links on the internet to either your IP address or your Domain + the 'dir' name + filename.
You should (for starters) contact the abuse desk of the ISP.
You can use Google to search for inbound links (they would be in the form of "your IP address or your Domain + the 'dir' name + filename"
BTW - those aren't viruses themselves - they are attack vectors (although that is semantics) Its all 'malware'.
Good Luck
ysf
Your server was not properly secured 'obviously' - if those files found their way onto your server.
The reason for all the requests is there are still links on the internet to either your IP address or your Domain + the 'dir' name + filename.
You should (for starters) contact the abuse desk of the ISP.
You can use Google to search for inbound links (they would be in the form of "your IP address or your Domain + the 'dir' name + filename"
BTW - those aren't viruses themselves - they are attack vectors (although that is semantics) Its all 'malware'.
Good Luck
ysf
JonB - The Server Geek 
Check out The Excruciatingly Correct Guide for XAMPP 'Quick Guides' and FAQ's
Check out The Excruciatingly Correct Guide for XAMPP 'Quick Guides' and FAQ's-
JonB - AF Moderator
- Posts: 3210
- Joined: 12. April 2010 16:41
- Location: Land of the Blazing Sun
- Operating System: Windows XP/7 - Fedora 15 1.7.7
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 131 guests