Xampp backdoor! All my passwords Stolen and my PC Cracked!

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby gsmith » 02. May 2017 22:39

zordon01 wrote:This was the link:
http://server name/phpmyadmin/abc.php?


And that is where it most likely started. The others leak info no doubt, but they just added a roadmap.
gsmith
 
Posts: 211
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Altrea » 02. May 2017 22:40

zordon01 wrote:All cracked folders start with this link: http://server name/phpmyadmin/abc.php?(and the folders)
The PHP admin was password protected!

The phpmyadmin Alias is protected by default configuration.
You can only access it from localhost. You cannot grab any files from there.

httpd-xampp.conf line 90ff
Code: Select all
    Alias /phpmyadmin "E:/XAMPP Versionen/7.1.1/xampp/phpMyAdmin/"
    <Directory "E:/XAMPP Versionen/7.1.1/xampp/phpMyAdmin">
        AllowOverride AuthConfig
        Require local
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
    </Directory>
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8848
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 02. May 2017 23:58

The PHP admin was password protected.Later the mod_info.so, mod_status.so was disabled.It was a home server.Nobody can acces with it directly to go from the pc.The server was in my room.I found links and a white abc.php file in the php admin folder the link looks like this.
/phpmyadmin/abc.php?act=ls&d=E%3A%5CDokumentums&sort=0a
when i opened this link /phpmyadmin/abc.php?

On browser its give me a folder with search options.If its not part of the program someone upload this file tourgh the internet in the phpmyadmin folder.This search funktion worked with drives and folders and files too.The xampp log logged someone opens mine files.The xampp was in drive G but the attacker acessed drive E too.In this page was a download funktion.In the apache log was full with this link what included all my private folders and files.All links goes tourgh the abc.php? file.I think someone somhow upload this file tourgh the internet from xampp.I used comodo firewall and nothig else was allowed only the Xampp.I think its was a bug in the software what can allow this from attackers.The server runs tourgh a proxy and the server adress was 127.0.0.1 its was a hidden service tourgh Tor.The IP adress was 127.0.0.1

#LoadModule info_module modules/mod_info.so
#LoadModule status_module modules/mod_status.so

disable

And all cache modules was enable nothing else changed.Allowed adress on Apache httpd.config 127.0.0.1:80

Two Xampp function was runned the Apache and MSQL with Admin rights.Nothing else.Os win 7
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Nobbie » 03. May 2017 09:54

zordon01 wrote:I think someone somhow upload this file tourgh the internet from xampp.


This is impossible if Xampp is connected to 127.0.0.1 (localhost) only, as it is suggested. Either you exposed Xampp to the internet (your fault), or it is NOT Xampp, but another tool which gives access to hackers. This might be (for example) an infected WordPress installation, WordPress is known for heavy infections via the plugins, i deleted WordPress from my server and decided not to use it anymore after i found out, how unsafe it is.

Anyway, its not Xampp and you are simply barking up the wrong tree.
Nobbie
 
Posts: 9569
Joined: 09. March 2008 13:04

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 03. May 2017 11:21

Its not impossibe.A original windows the drivers and the proxy was installed.127.0.0.1 connect to Tor Proxy.The hackers tried before many http link funktions.All attacks before came for http. The hackers before this happend trying to access through the server. They had been trying for a week before this unsuccessfully.But they get the server information the first attack from the http://site/server-info.The are a bug in the server what allow this.Nothing else allowed in the firewall only the server.The Tor and Xampp all downloaded from offical sites! Maybe its my mistake to nut runned the server in virtualbox. But I did not think that have a bug in the server what the whole machine could have access to it.I runned the server in a non system drive.They upload the file tourgh the server.And used the server tourgh the browser to search the files. 127.0.0.1 the tor proxy was only allowed and other IP adresses are blocked,the PHP admin was password protected. They try first get the server information (They have succeeded).One week before this they tried to crack continuously the server without visible result.Than they try cracked the PHP admin and the website.After the ninght i find this file in the abc.php admin folder.The hackers accessed tourgh the server.This is function like a file browser,i tried it.Its can search and download files.The hackers active tried http link tests before. This option in the panel have a fake description and its say this is a Xampp function. Its have a dark background and its looks like a website or a browser. Anyone who did it was not an amateur. It had the function search and download files and nothing else.And they can acessed not just the server patrition or folder but another patritions too. The C:/ system patrition somehow it can not acessed this program. But the non system patritions its searched without problems.The PHP admin was protected a 24 character strong password. The hacker searched after the crack the server options first.Than theare goo to another folders.All programs controlled with comodo firewall and i was sleep in my bed when its happend. This file was in the late night uploaded the hacker in the server.
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Nobbie » 03. May 2017 11:38

zordon01 wrote:Its not impossibe.


Blablablablbla

You are simply a troll and this is the last response here. *plonk*
Nobbie
 
Posts: 9569
Joined: 09. March 2008 13:04

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby danielo » 03. May 2017 12:17

You don't have to. But burring this in the faq is not enough, most often that is read after the fact. If there's one thing I've learned following this forum over the years, people don't go out of their way to read. Hence all the post about something not working and asking how to fix, posting the very part of the message they get that tells them to check the logs and windoze event viewer, and they don't even read that part of the error message.

Just put it where I suggested. You've done your duty!


Thank you. The problem is that a lot of people not even read that, they go directly to Sourceforge. We looked into it and here is what we found:

* phpMyAdmin is protected by default to be only accessed from localhost. If this was accessed by a remote attacker we are guessing it must be because the user actively changed it

* Similarly server-status and server-info were protected to only accessed by localhost on Linux, but we checked and they are accessible on Windows. We will fix access to those in a new release (working on having it for later today or tomorrow)

In addition to the above, we will include wording in the main section of the documentation for XAMPP, the fist page that everyone sees, hopefully more people will be aware of it.

Thanks everyone for all the feedback, it is hard to make these tradeoffs. In the past we removed all the PHP examples from XAMPP because they were a source of security issues, which caused some disagreement but turned overall to be a good decision. Hopefully we can fix this similarly with a clearer, more visible notice and making the defaults just listen to localhost
danielo
 
Posts: 8
Joined: 24. October 2011 09:45
Operating System: Linux

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Altrea » 03. May 2017 18:06

danielo wrote:Thank you. The problem is that a lot of people not even read that, they go directly to Sourceforge. We looked into it and here is what we found:

* phpMyAdmin is protected by default to be only accessed from localhost. If this was accessed by a remote attacker we are guessing it must be because the user actively changed it

* Similarly server-status and server-info were protected to only accessed by localhost on Linux, but we checked and they are accessible on Windows. We will fix access to those in a new release (working on having it for later today or tomorrow)

In addition to the above, we will include wording in the main section of the documentation for XAMPP, the fist page that everyone sees, hopefully more people will be aware of it.

Thanks everyone for all the feedback, it is hard to make these tradeoffs. In the past we removed all the PHP examples from XAMPP because they were a source of security issues, which caused some disagreement but turned overall to be a good decision. Hopefully we can fix this similarly with a clearer, more visible notice and making the defaults just listen to localhost

Thanks danielo.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8848
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby gsmith » 03. May 2017 23:11

I'll second that, thanks danielo
gsmith
 
Posts: 211
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Beltran » 04. May 2017 18:11

Hi!

We just released new versions of XAMPP with the following component updates:

5.6.30/ v7.0.16 / 7.1.2

Updated PHP to 5.6.30 / 7.0.16 / 7.1.2
Updated OpenSSL to 1.0.2k (for Linux and OS X)
Updated phpMyAdmin to 4.7.0

We also modified the security configuration of XAMPP for Windows and now the "server-status" and "server-info" aliases of Apache are only accessible via localhost and we improved the welcome page to clarify that XAMPP is meant only for development purposes.

Thanks again for your feedback!
User avatar
Beltran
Power-User
 
Posts: 131
Joined: 22. March 2013 12:29
Operating System: Windows, Linux, OS X

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 05. May 2017 08:28

What I find is a big problem,and this could have been avoided. First a simple warning better to run it in a isolated place like wmware,virtualbox others. I lerned a realy hard way its not ideal to run it the system patrition. And its possible to acces another patritions even if you install it a non system patrition.A simle trick the #LoadModule info_module modules/mod_info.so,#LoadModule status_module modules/mod_status.so default disable.And all another sensitive information what can defaultly accesed from the browser hidden for awarage users its will good to be defoultly hidden.All the attacks started with this the attacker acessed tourgh browser this sensitive informations and the program allowed all this. She tryed actively one week http commands what he can acces for.And if the user want this function she cant enable it.Another security tip the PHP admin panel.Its will be ideal defaultly disable to acces it tourgh the browser and the user can allow or dissalow this.No matter you connect tourgh localhost or another IP adress.I know its can be password protected but this can add extra security. What caused my problem.The attacker can somhow uploaded this abc.php file in the phpmyadmin folder. A simple folder and file write permission problem i think its can solve it.But almost nobody talk to it.This program need much more security than other programs which everyone is accustomed to.And need more security setups what the program gives you defoultly and the help center,faq,toturials talk it more than the other programs. The problem the attacker showed me this problems, and not in the faq,help center,forum alert me enough from this problems.First its started the http://site/server-info and server-status page and ended my cracked PC and stolen passwords documents.
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby JJ_Tagy » 05. May 2017 11:24

Yes, it could have been avoided. There are warnings everywhere. The forum is littered with warnings and lessons learned. Just because you don't read them doesn't mean that they aren't there. You chose to ignore them and now blame everyone/everything else besides yourself. Sometimes people have to learn the hard way.
JJ_Tagy
 
Posts: 723
Joined: 30. January 2012 13:44
Operating System: Windows 10 Pro x64

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Altrea » 05. May 2017 12:37

XAMPP is a development tool. Outputting debug info you normally cannot get that easy on live servers is part of the concept.

server-info and server-status can only give information that can help planning the next step of an attack. Wirhout other security issues this information on its own is not a big security issue. In 2012 many of the top 10000 websites had this information public accessible.

XAMPP itself does not make it happen that an external request is interpreted as it is requested from localhost. So you do have another program running that makes this happen. This can be Tor or openvpn portshare or squid webcaching or defined another server acting as reverse proxy on the same host. Or the request is send from a foreign webscript. That is the first part of the real security issue and that is not presented by xampp.

The second part of the real issue is the abc.php script. This is not part of the xampp download. Xampp itself does also not provide any file creation or file upload scripts which could be used to place that file. If i would guess this was caused by a security issue in a foreign script or plugin.

XAMPP is secure enough for the purposes it is made for.

Don't use XAMPP any longer, it is the wrong tool for you.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8848
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 05. May 2017 13:47

Yes i enable all the cache modules before this has happened.Before this happens the server run without problems about 2 monts. But this modules part of the the Xampp software but its disable defaultly.I enable all the cache modules a few days before this happened.Nothing else was installed Tor and Xampp.Lot of robot scanned my site.They get the public and non public links what can accessible from the browser.Im not used more extra softwares or downloaded extra modules. The firewall only allowed the server tourgh Tor and everything else blocked .The visitors are does not know or see the server real IP adress.The server and Tor connect together in 127.0.0.1 localhost.Only two port allowed to connect the server msql and port 80.And only two first functions runned in panel MSQL and Apache.
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 09. May 2017 16:13

I find this virus in the intenet what infect the xampp!This virus name was c99 shell! :!:

https://www.youtube.com/watch?v=cd1JLiRNMoY
https://github.com/tennc/webshell/tree/master/php/PHPshell/c99shell
https://webshell.co/

Here about some links.This was that,i find it.This was the abc.php file what infected the sever!

This was in the phpmyadmin folder!Only the hacker renamed it!
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Previous

Return to XAMPP for Windows

Who is online

Users browsing this forum: chuckluttor, Linomendez and 38 guests