Linux security issue: Protect against POST //cgi-bin/php attacks

Discussion in 'General Linux' started by Arijit, Feb 25, 2014.

  1. Arijit

    Arijit New Member

    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    3
    I have been just attacked. they are trying requests similar to the following url:


    POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6
    %64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22
    %2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D
    64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTT
    /1.1" 404 290 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"


    How can I protect our server from this kind of attack and how to decode this things.
  2. Machin Shin

    Machin Shin Member

    Messages:
    59
    Likes Received:
    47
    Trophy Points:
    18
    Poking around the net real fast I found a few different places explaining what is going on. It seems, as you probably expected, all the "%61%6C%6C%6F%77%5F" stuff is really just a command translated into non-human readable format.

    For more detail then you probably want on the issue you can go to http://www.exploit-db.com/exploits/29290/

    What you probably most want from that though will be.

    So it looks like the normal advise once again wins. To make sure your safe, make sure your software is updated to latest versions.

Share This Page