Friday, January 28, 2011

XAMPP WebDAV Vulnerability

This vulnerability basically WebDav can be access like ftp server if you know the username & Password. since Xampp places the default username & password the user doesn't restrict the access to xampp directory after the xampp installtion attackers can places their files & execute remotely. they can use your PC to DDoS their targets.


Quite a strange my machine generating 80Mbps traffic towards one of the host.
as usual i searched through process explore (sysinternal ) for any unwanted process + tcp connection, Nothing suspicious.But Anti-Virus logs points out http.exe trying to access IRC ports http.exe is xammp apache server process.

1/21/2011 10:02:23 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 173.192.66.130:6666
1/21/2011 10:35:45 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6668
1/21/2011 10:37:04 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6666
1/21/2011 10:39:36 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 74.53.201.162:6668

so i was suspicious over the xampp and started to google around vulnerability for Xampp and found xampp webdav has default password , anybody can access it and place files in the folder it. through that they can access whole server content.
Next step the apache logs ,
Access log points that too ( watch the PUT) :


50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "GET /webdav/ HTTP/1.1" 200 313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 401 1369 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PUT /webdav/info.php HTTP/1.1" 201 332 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:36 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - - [18/Jan/2011:14:02:41 +0530] "GET /webdav/info.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "DELETE /webdav/info.php HTTP/1.1" 204 - "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "PUT /webdav/x32.php HTTP/1.1" 201 331 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PUT /webdav/servconfig.php HTTP/1.1" 201 338 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:52 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3958 "-" "WEBDAV Client"

3 files placed by the attackers leaf.php,servconfig.php, x32.php ( no idea what is leaf.php anybody have any idea ? here i've attached the php files. :

01/22/2011 03:03 AM 1,107 leaf.php
01/21/2011 08:56 PM 3,775 servconfig.php
12/20/2009 12:00 AM 277 webdav.txt
01/18/2011 02:02 PM 1,975 x32.php

rar file .
http://hotfile.com/dl/100076218/c618307/webdav.rar.html

x32.php gives basic interface where you can place host & time duration for the attack. Sample attack request : This may be vary depend on the php /active content the attacker places.

"91.121.2.103 - - [27/Jan/2011:15:09:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:51 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:13:48 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
"

workaround:
Change the default username and password on the webdav folder that placed by the xampp
X:/xampp/security/webdav.htpasswd

Delete the webdev folder / search google XAMPP WebDAV vulnerability.

4 comments:

Ben said...

I just found your blog, and I've subscribed!

I had a look at your leaf.php question, and here's the source from it.

http://pastebin.com/qXhsKj26

It's a heavily encrypted DoS script.

Emmanuel Arul Gobinath said...

Thanks Ben, now only i checked the functions placed around the string :) .
gzinflate , str_rot13 ,base64_decode
so basically they have compressed , rot13 encryption , base64 encoding .

Ben said...

Yes, they had encrypted it using those 3 methods.

But repeatedly, if you looked inside, you'd see more functions compressing yet more information, untill eventually you'll hit the code I pasted above!

Anonymous said...

Stealthbooter.com
is the culprit. They have been hacking servers and using them to DDoS. They also rent out "access" to their server so anybody can DDoS.