[SOLVED] httpd.exe maxing internet connection...

Problems with the Windows version of XAMPP, questions, comments, and anything related.

[SOLVED] httpd.exe maxing internet connection...

Postby Zanato » 08. April 2011 22:08

About a week ago my broadband started giving trouble and tonight I've finally tracked the problem down to httpd.exe.

I spent a lot of time on the phone today to my provider who insisted the problem was not their end. So I installed a traffic counter (http://www.codeheadz.com) to see if I could record a log of when the connection was dropping. I immediately noticed that when the connection was 'dropping' what was actually happening was that my upload was maxing (codeheadz reported an upload of 11.5Mb/s even though I only have a 4Mb/s line) and I had no download traffic.

It seemed completely sporadic. Max upload for 3 mins then work fine for 5 mins, max for 1 min then normal for 2 mins, and so on...

So I started turning off processes and BINGO! httpd.exe is the culprit or at least terminating httpd.exe has solved the problem.

Obviously though, I need to be able to run httpd so need to find the root of the problem.

Anyone any ideas what I should do next?
Last edited by Zanato on 09. April 2011 11:00, edited 1 time in total.
Zanato
 
Posts: 2
Joined: 08. April 2011 21:46

Re: httpd.exe maxing internet connection...

Postby Sharley » 09. April 2011 01:51

I take it you are using XAMPP and if so check your webdav folder for a well known exploit that has now gone viral.

Check by reading the Apache access.log file that will give clues and IP addresses of suspect connections to and from the server.

See if any of these posts in the XAMPP for Windows English forums help if it is webdav folder related and I must say the symptoms seem to indicate your server is now a zombie.

viewtopic.php?p=172808#p172808
viewtopic.php?p=172246#p172246

If not webdav or XAMPP related look for a rootkit exploit using the httpd.exe Apache server.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
XAMPP Version: 5.6.3
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: httpd.exe maxing internet connection...

Postby Zanato » 09. April 2011 10:45

Thank you for your reply Ms. Sharley.

I am using XAMPP 1.7.3. I'm a noob but I'm learning fast.

My webdav folder looks like this... :(
Image

So yea, I've been hacked.

I've renamed the folder and modified httpd-dav.conf as per your instructions... viewtopic.php?p=172246#p172246

What's really annoying me is that I thought it was a problem with my ISP who I was on the hold to for 30mins before getting a reply like "no! everything is fine our end. As we look at your logs we see you have not been getting disconnects." Surely the guy looking at my logs should have seen that there was a DOS attack going out over my line?

Anyway, thanks again for your help Ms. Sharley. I'mm off now to read more about XAMPP security.
Zanato
 
Posts: 2
Joined: 08. April 2011 21:46

Re: httpd.exe maxing internet connection...

Postby Sharley » 09. April 2011 11:00

That is a very good outcome with another zombie squished.

Your ISP may not have seen what you see now as the hackers were using a well know webdav port - if they even looked that closely at their logs - but anyway it would, without very close scrutiny, only have appeared as normal heavy traffic emanating from a web server using webdav on one of their nodes.

BTW you can delete all the files and folders in the webdav folder except for the index.html file and the webdav.txt file which are the default files from installation, just in case. ;)

Alls well for now, try to keep your eye on the access log frequently and you will spot unusual activity - you can delete the content of the access.log file and the error.log file when Apache is stopped to prevent them from growing too large to read effectively, as you can't do anything with them while Apache is running and it only takes a few seconds to achieve a clean log file.

Good luck and best wishes and I hope you don't have any more security issues come your way anytime soon.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
XAMPP Version: 5.6.3
Operating System: Win 7 Pro 32bit/XP Pro SP3


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 37 guests