logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: New Apache Virus?
Author
begreen



Joined: 15 Feb 2013
Posts: 1
Location: Colorado

PostPosted: Fri 15 Feb '13 21:55    Post subject: New Apache Virus? Reply with quote

Hello,

I am running xampp 1.7.7 (Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1), and I believe I have just acquired some sort of virus/worm.

After many months of reliability, Apache started to drop out pretty regularly (5-10 times per day) requiring a restart each time.

In the error.log file, I found tens of thousands of entries like this:

[Thu Feb 14 15:35:25 2013] [error] [client 5.135.153.51] script 'C:/xampp/htdocs/lol.php' not found or unable to stat

These are coming from two IP addresses(both from an ISP in France) and they have been occurring over the last few days. At certain times of day, these requests are coming in about 10 per second. The error.log file has grown to over 220 Mb, with 99% of that being these types of entries just from the past few days.

I found the following unknown files in the xampp/htdocs/ dir (which I have not put there myself) : lol.php, 121.php, fun.php, in2.php, and Holys.exe

I am not an expert on viruses by any means, but the contents of lol.php appears to be a script that searches out other computers to infect. I can post the files themselves if anyone is interested.

I have removed those files, but I am still receiving thousands of requests to access the lol.php file at several points throughout the day.

I have tried google search, but have uncovered nothing relevant to this problem.

Any help would be greatly appreciated!

Thank you.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 15 Feb '13 22:34    Post subject: Reply with quote

Xampp is not for productivity! It is extra open for development. That is not related to apache itself but more to the php scripts or what ever you run on it.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 15 Feb '13 23:14    Post subject: Reply with quote

Removing the files unfortunately doesn't plug the hole that allowed them to get there, so I'm sure they will be back.

I'd be interested VirusTotal's report on the exe.
https://www.virustotal.com
Back to top


Reply to topic   Topic: New Apache Virus? View previous topic :: View next topic
Post new topic   Forum Index -> Apache