XAMPP WebDAV Vulnerability

This vulnerability basically WebDav can be access like ftp server if you know the username & Password. since Xampp places the default username & password the user doesn't restrict the access to xampp directory after the xampp installtion attackers can places their files & execute remotely. they can use your PC to DDoS their targets.


Quite a strange my machine generating 80Mbps traffic towards one of the host.
as usual i searched through process explore (sysinternal ) for any unwanted process + tcp connection, Nothing suspicious.But Anti-Virus logs points out http.exe trying to access IRC ports http.exe is xammp apache server process.

1/21/2011 10:02:23 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 173.192.66.130:6666
1/21/2011 10:35:45 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6668
1/21/2011 10:37:04 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6666
1/21/2011 10:39:36 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 74.53.201.162:6668

so i was suspicious over the xampp and started to google around vulnerability for Xampp and found xampp webdav has default password , anybody can access it and place files in the folder it. through that they can access whole server content.
Next step the apache logs ,
Access log points that too ( watch the PUT) :


50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "GET /webdav/ HTTP/1.1" 200 313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 401 1369 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PUT /webdav/info.php HTTP/1.1" 201 332 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:36 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - - [18/Jan/2011:14:02:41 +0530] "GET /webdav/info.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "DELETE /webdav/info.php HTTP/1.1" 204 - "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "PUT /webdav/x32.php HTTP/1.1" 201 331 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PUT /webdav/servconfig.php HTTP/1.1" 201 338 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:52 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3958 "-" "WEBDAV Client"

3 files placed by the attackers leaf.php,servconfig.php, x32.php ( no idea what is leaf.php anybody have any idea ? here i've attached the php files. :

01/22/2011 03:03 AM 1,107 leaf.php
01/21/2011 08:56 PM 3,775 servconfig.php
12/20/2009 12:00 AM 277 webdav.txt
01/18/2011 02:02 PM 1,975 x32.php

rar file .
http://hotfile.com/dl/100076218/c618307/webdav.rar.html

x32.php gives basic interface where you can place host & time duration for the attack. Sample attack request : This may be vary depend on the php /active content the attacker places.

"91.121.2.103 - - [27/Jan/2011:15:09:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:51 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:13:48 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
"

workaround:
Change the default username and password on the webdav folder that placed by the xampp
X:/xampp/security/webdav.htpasswd

Delete the webdev folder / search google XAMPP WebDAV vulnerability.

Comments

Ben Poulson said…
I just found your blog, and I've subscribed!

I had a look at your leaf.php question, and here's the source from it.

http://pastebin.com/qXhsKj26

It's a heavily encrypted DoS script.
Thanks Ben, now only i checked the functions placed around the string :) .
gzinflate , str_rot13 ,base64_decode
so basically they have compressed , rot13 encryption , base64 encoding .
Ben Poulson said…
Yes, they had encrypted it using those 3 methods.

But repeatedly, if you looked inside, you'd see more functions compressing yet more information, untill eventually you'll hit the code I pasted above!
Anonymous said…
Stealthbooter.com
is the culprit. They have been hacking servers and using them to DDoS. They also rent out "access" to their server so anybody can DDoS.

Popular posts from this blog

l2tpv3 configuration reference

mikrotik queue tree - Per connection queuing.

Decoding BGP Notification Error