1

Using phpMyAdmin and XAMPP in connection with local WordPress development.

Sometimes when I open the local site http://localhost/phpmyadmin/index.php the firewall is showing connection attempts from httpd.exe, for example to IPs 185.59.222.11 and 185.59.222.12.

So yes, the connection goes outward from the local machine to those IPs and not the other way round. In fact I have not had any attempt that was coming from the outside to httpd.exe so far.

Using http://ip-lookup.net/index.php I can see that IP 185.59.222.122 is NS ns3.superhosting.cz for example.

Are these connection attempts to get into the local MySQL database somwhow? Is someone trying to hack into this development machine? I don't think so because the direction is going outwards, or am I misunderstanding this?

Perhaps it is of importance to notice that I am behind a VPN 365/24/7.

So far I am blocking all these requests. Also these requests do not happen often, most of the time when I refresh the http://localhost/phpmyadmin/index.php site. This leads me to thinking that possibly phpMyAdmin is looking for an update?

At times, when inside the WordPress dashboard httpd.exe also connects to outside IPs and checking those I can see that they belong to wordpress.org, so I allow them and that for example leads to the WordPress News articles being displayed in the local WordPress dashboard.

Additionally, if you can be asked, would anyone please kindly share a link or document on how to securely set up phpMyAdmin and Apache (XAMPP) for local development, while still allowing me to install WordPress plugins and the like from the outside net?

Anders
  • 64,406
  • 24
  • 178
  • 215
lowtechsun
  • 183
  • 6
  • You probably have something evil in the code that polls those servers for commands. Since this is not a public site I doubt you were compromised via an exploit but most likely your Wordpress was compromised from the start, possibly by downloading a plugin/theme from a dubious source. – André Borie Nov 04 '16 at 14:00
  • @AndréBorie Interesting assumption. The only plugin I downloaded is [Duplicator](https://wordpress.org/plugins/duplicator/) and that was done via port 443 and from a totally different IP. I can confirm it was downloaded via port 443 as the firewall logged it. Besides that this is a default untouched WP 4.6.1 install. The other requests are all outgoing on port 80 and only happen once I reload the phpMyAdmin page on localhost. What _code_ are you referring to? WP, phpMyAdmin or Apache(XAMPP)? – lowtechsun Nov 04 '16 at 15:45

1 Answers1

4

Those IP-addresses are almost certainly related to phpmyadmin doing a version check. This is to show whether your version is up-to-date. See libraries/VersionInformation.php where it will do a request for www.phpmyadmin.net. My computer returns 195.59.222.12 for this host. But because this is a CDN your results may be different.

You can disable the version check in the configuration by setting:

$cfg['VersionCheck'] = false;

in config.inc.php

ontrack
  • 186
  • 1
  • 3
  • I choose to believe this is spot-on @ontrack. ;) Thank you for the explanation. Would you happen to have info on the semi-legal slipped-in second part of the question, being _how to securely set up phpMyAdmin and Apache (XAMPP) for local development, while still allowing me to install WordPress plugins and the like from the outside net_ ?? – lowtechsun Nov 04 '16 at 22:56
  • I guess for the second part I can look at [this](https://security.stackexchange.com/questions/77/apache-server-hardening). – lowtechsun Nov 04 '16 at 23:17