Note: The initial IP and Domain have been replaced by x.x.x.y in order to spare the shame and keeping anybody from doing something stupid 😉
Today i ran a routine check on my Apache logs….the same as usual…
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/mysqladmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/db
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/dbadmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/web
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpmyadmin2
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpmyadmin1
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpadmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/myadmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpMyAdmin-2.2.3
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpMyAdmin-2.5.6
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpMyAdmin-2.5.7-pl1
…
This goes on forever … big deal….
But the host was pretty aggressive so i decided to take a closer look:
traceroute x.x.x.y
….
7 somebody.something.net (bla.bla.bla.bla) 18.017 ms 17.852 ms 17.231 ms
8 somedomain.de (x.x.x.y) 16.701 ms 16.391 ms 16.322 ms
So i take a look at somedomain.de and find this:
Looks like someones Windows Server was compromised or so to say…. owned.
Conclusion: Dont use XAMMP on the web, it may be superb for testing your stuff before sending it to the real world but not meant to survive in hazardous environments, especially with Windows up your back…
The least thing you could do is make sure your webservices aren’t running on blank or default passwords!