I have just seen a new series of error in the /var/log/apache2/error.log
[Thu Oct 31 06:59:04 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php
[Thu Oct 31 06:59:08 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Thu Oct 31 06:59:09 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Thu Oct 31 06:59:14 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Thu Oct 31 06:59:14 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php4
This server is running Ubuntu 12.04lts.
I have never seen this sort of attack before, should i be concerned or securing my system in any way for them?
Thanks, John
If you're running a default configuration of Apache on Ubuntu (or have used the default config as a blind template for other virtualhost directives) you'll likely find that you have a ScriptAlias directive mapping /cgi-bin/ (relative to the apache document root) to the filesystem location of /usr/lib/cgi-bin/ - so what they're actually trying to load is http://your.host.name/cgi-bin/php4.
If you're not using your cgi-bin for anything, you're unlikely to lose anything you care about by commenting out the sections relating to it (and the more defined to your needs your configuration is, the smaller any potential attack surface).
You'll find the relevant directives for the default site in /etc/apache2/sites-available/000-default, if memory serves.
Seems theres someone trying to find a php cgi binary in your cgi-bin path. As long as there's nothing exploitable in there, there's nothing to worry about.
You can disable the default server cgi-bin like so: