On my server I have serious HTTP an SSH attacks running. Most of them are brute force password checks or attemps of /etc/passwd retrievals. But some of them are trying to start the bash via plugin systems or performing strange requests. Watching the log files of my apache server, I have such lines (without the line breaks):
POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D
%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69
%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66
%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D
%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68
%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72
%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73
%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 1718 "-" "Mozilla/5.0 (iPad; CPU OS 6_0
like Mac OS X) AppleWebKit/636.26(KHTML, like Gecko) Version/6.0 Mobile/10B5355d
Safari/8636.25
With URL decode I got this:
"POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d
suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d
auto_prepend_file=php://input -d cgi.force_redirect=0 -d
cgi.redirect_status_env=0 -n HTTP/1.1" 301 1718 "-" "Mozilla/5.0 (iPad;
CPU OS 6_0 like Mac OS X) AppleWebKit/636.26(KHTML, like Gecko)
Version/6.0 Mobile/10B5355d Safari/8636.25"
But what does it try to do? As this is a POST request, is there a way to see what data has been submitted with it?
My security actions are as follows: Disable every service I do not need, for those I really need, protect them with fail2ban, alternative ports (if possible), regular software updates and regular log file inspection. (Next steps would be, to regularly check for weak passwords and having some kind of intrusion detection mechanism)
This is a PHP-CGI attack.
The above section of data will be erroneously passed to the PHP command line interpreter and may allow the attacker to override specific PHP configurations. In this case, one of the key modifications is to specify "auto_prepend_file=php://input" which will allow the attacker to send PHP code in the request body.
REF: http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apache-magikac.html
This seems like a common attack where they are seemingly trying to inject cgi commands. Get yourself an IDS or a HIDS. These can automatically notify you or block the traffic when seeing malicious strings.
Also make sure to harden your systems as much as possible, lower your information footprint as much as possible.
Make sure to keep track of the offender, if this just happens sporadically it's common internet background noise.