Xampp backdoor! All my passwords Stolen and my PC Cracked!

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Xampp backdoor! All my passwords Stolen and my PC Cracked!

Postby zordon01 » 02. May 2017 18:34

All my passwords Stolen and my PC Cracked! :x Thanks to the Xampp developers the abc.php, mod_info.so, mod_status.so backdoor!
The first problems
LoadModule info_module modules/mod_info.so
LoadModule status_module modules/mod_status.so
http://site/server-info
Show hackers my sensitive information.Like all the installed folders.
This morning in server logs:
http://server//phpmyadmin/abc.php?
In logs i see someone searching in my private files my passwords,private documents,. This function integrated in the xampp 7.1.1. My server was cracked! I wana say thank this great backdoor security for the developpers. The probleme everyone can crack this servers. This module give all users in the browser to search and download all files in the server and other patritions all over in PC. :shock: :lol:
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Altrea » 02. May 2017 19:17

Altrea wrote:These are the basic rules how to ask for support correctly and efficiently

Scope of support

Evaluate if your topic is in scope of support of our board. We don't want to provide...
  • ...support via personal communication channels like PM, email, Skype, TeamViewer, etc.
    One advantage of community support boards is that every user can participate in issues and solutions of other users. To make this possible every information relating to this issue needs to be accessible for the other users (which is not the case for personal communication channels).
    If you think that some from a helper requested information contains sensitive data (like personal data you don't want to share with the world), ask if you can send this part of the information via PM and mask this data in your post.
  • ...support for third party applications like WordPress, Joomla!, phpBB, Skype, etc.
    There are several hundred of thounsand of these applications out there, all of them with their own requirements, characteristics and issues.
    The developers of these applications are knowing their own software best and commonly provide their own support channels where you can get proper support relating to this specific product.
  • ...support for live, production or public accessible environments.
    XAMPP is not configurated for such environments (default passwords, many activated and probably unnecessary modules, not tweaked for performance, scalability, stability or security). This board does have several entrys about hacked XAMPP installations because of using unprotected XAMPP installations in not supported environments. XAMPP don't want to fit every possible use case and there are other (also free) alternatives for such environments.
  • ...enterprise or commercial oriented support.
    You and/or your company earns money for what you are doing. If you don't have the knowledge to solve XAMPP problems on your own, spend a part of your money to hire an expert or pay an it freelancer to solve such problems. We all need jobs and money to live and in a company or commercial oriented environments there are much more things to consider like legal requirements or network security. Every action can contain a financial risk so even answeres on simple questions have to be analysed if they fit all the rules the environment requires. This cannot be achieved in two sentences of a forum post.


Reference: [INFO] How to not fail getting help here

Lesson learnd the hard way :lol:
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Nobbie » 02. May 2017 20:11

zordon01 wrote:All my passwords Stolen and my PC Cracked! :x Thanks to the Xampp developers the abc.php, mod_info.so, mod_status.so backdoor!


Thx to your own stupidness and lazyness - a fool with a tool remains a fool.

zordon01 wrote:My server was cracked! I wana say thank this great backdoor security for the developpers. The probleme everyone can crack this servers.


Yes!! Exactly what is described in the very basic readme. Thats what happens if you ignore readmes....

See Altreas posting for more information, you did everything wrong what one can do wrong. Now you learned it the hard way, exactly what you deserved.
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 02. May 2017 20:17

I downloaded this version in the original official page!
https://www.apachefriends.org/hu/download.html
The problem are more than a bug! The program defaultly allowed all visitors to browse and download all my documents with a simple browser! This is caused by an integrated function. Not just the server but other partitions. They get the PHP Admin password and get another documents from another patritions.This is not an optional option its defaultly in the program.The other problem this is hidden and specialy from avarage users!Defaultly with this funktion the server works like a backdoor from everybody who know this adress!
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Nobbie » 02. May 2017 20:20

zordon01 wrote:I downloaded this version in the original official page!
https://www.apachefriends.org/hu/download.html


Yes of course. And the official page states, that this package is NOT(!) MEANT(!) FOR ONLINE servers, but only for your private development. Everything else is caused by your IGNORANCE!
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby gsmith » 02. May 2017 20:31

Not excusing the OP here but,

http://www.apachefriends.org
What is XAMPP?
XAMPP is the most popular PHP development environment

XAMPP is a completely free, easy to install Apache distribution containing MariaDB, PHP, and Perl. The XAMPP open source package has been set up to be incredibly easy to install and to use.

I have to say it would be helpful if it also stated "NOT FOR LIVE PRODUCTION SERVERS ON THE WEB." I've seen this stated somewhere deeper (probably what Altrea quoted) but putting it right out front where no one can miss it would be extremely helpful. Not after-the-fact which is what that statement in the form rules is.

More problematic than that I've seen many tutorials and how-to's that suggest Xampp. The large majority say nothing about this not being for a live server. While that's not Xampp's fault, it would be prudent to make it impossible to miss when they come here following some other idiots shabby advice.

Some folks just don't know the difference between Development and Production. Web developers are not server administrators in more cases than not. This is your user base, get used to it and do what you can to prevent it. If that was plastered on the front page you have done your due diligence and those that ignore it can then be berated, called stupid idiots, morons, whatever you wish.
gsmith
 
Posts: 278
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win 10/2012R VS 14,15,16

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby nemo_nemo » 02. May 2017 20:54

I am very curious about this. Did you make sure to change all default passwords and security holes like described in this page?

https://www.quora.com/Is-XAMPP-used-for-life-production-And-Why
nemo_nemo
 
Posts: 1
Joined: 02. May 2017 20:51
XAMPP version: 7.1.1
Operating System: Windows 7

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Nobbie » 02. May 2017 21:06

gsmith wrote:I have to say it would be helpful if it also stated "NOT FOR LIVE PRODUCTION SERVERS ON THE WEB."


I definately agree. But "someone" has to tell that to Bitnami, unfortunately none of them reads in this forum.
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby Altrea » 02. May 2017 21:32

zordon01 wrote:The program defaultly allowed all visitors to browse and download all my documents with a simple browser!

I see that the server-info and server-status special pages can be accessible from outside because the new security concept is no longer part of xampp (i don't know why).
But i don't see how someone could be able to access any private folder or file on your local computer. Can you prove that or give more information about how this was happened on your pc?
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby gsmith » 02. May 2017 21:35

Nobbie wrote:I definately agree. But "someone" has to tell that to Bitnami, unfortunately none of them reads in this forum.

I just did, not that it won't just end up in /dev/null. I can at least hope not.
gsmith
 
Posts: 278
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win 10/2012R VS 14,15,16

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby gsmith » 02. May 2017 21:44

Altrea wrote:I see that the server-info and server-status special pages can be accessible from outside because the new security concept is no longer part of xampp (i don't know why).
But i don't see how someone could be able to access any folder or file on your local computer. Can you prove that or give more information about how this was happened on your pc?

If what keeps unauthorized peeps out of those pages is failing elsewhere, like phpmyadmin, game over with the default passwords.
gsmith
 
Posts: 278
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win 10/2012R VS 14,15,16

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 02. May 2017 22:12

The probleme here wehen its connect the internet everyone can acces your files. This is a huge mistake, or intentional backdoor. Does not matter your run a private what connet in internet or public web server. I consider such a function to be outrageous "free comjuter hack for everybody".The function is HIDDEN in the program. It's a big unwanted surprise! It's defaultly active, and nothing warns him. Its does not care the seted up PHP admin password funkcion. The funktion are not in the dashboard,or PHP admin page, its not public. The forums,help center,faq and another toturials does not talked before anything like this.

This was the link:
http://server name/phpmyadmin/abc.php?

The cracking started with:
http://server name/server-info
http://server name/server-status
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby zordon01 » 02. May 2017 22:20

All cracked folders start with this link: http://server name/phpmyadmin/abc.php?(and the folders)
The PHP admin was password protected!
zordon01
 
Posts: 9
Joined: 02. May 2017 18:29
XAMPP version: 7.1.1
Operating System: windows

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby danielo » 02. May 2017 22:26

We already mention that it is not production ready, in the FAQ: https://www.apachefriends.org/faq_linux.html
XAMPP is not meant for production use but only for development environments. The way XAMPP is configured is to be open as possible to allow the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Here a list of missing security in XAMPP:

The MySQL administrator (root) has no password.
The MySQL daemon is accessible via network.
ProFTPD uses the password "lampp" for user "daemon".
PhpMyAdmin is accessible via network.
Examples are accessible via network.


I think it is pretty clear. I do not know how we can make it even clearer or more secure defaults that do not interfere with development/ease of use
danielo
 
Posts: 8
Joined: 24. October 2011 09:45
Operating System: Linux

Re: Xampp backdoor! All my passwords Stolen and my PC Cracke

Postby gsmith » 02. May 2017 22:36

danielo wrote:I think it is pretty clear. I do not know how we can make it even clearer or more secure defaults that do not interfere with development/ease of use


You don't have to. But burring this in the faq is not enough, most often that is read after the fact. If there's one thing I've learned following this forum over the years, people don't go out of their way to read. Hence all the post about something not working and asking how to fix, posting the very part of the message they get that tells them to check the logs and windoze event viewer, and they don't even read that part of the error message.

Just put it where I suggested. You've done your duty!
gsmith
 
Posts: 278
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win 10/2012R VS 14,15,16

Next

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 129 guests