Where did the Linux command in the apache access log come from?

K

Kirill Kolpashchikov2018-10-14 21:53:29

linux

Kirill Kolpashchikov, 2018-10-14 21:53:29

The following entry appeared in the apache access log yesterday:

%мой_домен% 172.68.11.192 - a -q /dev/null /dev/null; echo ZWNobyAnc2tjOUEnOw== | base64 --decode | xargs -0 $(which php) -r # [13/Oct/2018:01:09:52 +0300] "GET /printpdf/0 HTTP/1.0" 404 14614 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 189861 146666:16666

Don't look at the IP, the server is behind cloudflare. (found real ip - 217.23.139.83)
Before this

a -q /dev/null /dev/null; echo ZWNobyAnc2tjOUEnOw== | base64 --decode | xargs -0 $(which php) -r #

was not in the logs, there was a dash in this place. It's the first time I've come across this. Please help with the answer, what is it and can it harm my server?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

F

Fixid, 2018-10-14
@Fixid

Banal search for vulnerabilities and holes in settings.
Wanted to run echo 'skc9A'; | xargs -0 $(which php)
-r don't even know the OS type

C

CityCat4, 2018-10-15
@CityCat4

It's a search for holes.
They can do harm, and actually they want to do it :)