math's questions

On my server I have serious HTTP an SSH attacks running. Most of them are brute force password checks or attemps of /etc/passwd retrievals. But some of them are trying to start the bash via plugin systems or performing strange requests. Watching the log files of my apache server, I have such lines (without the line breaks):

POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D
%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69
%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66
%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D
%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68
%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72
%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73
%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 1718 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 
like Mac OS X) AppleWebKit/636.26(KHTML, like Gecko) Version/6.0 Mobile/10B5355d 
Safari/8636.25

With URL decode I got this:

"POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d 
suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d 
auto_prepend_file=php://input -d cgi.force_redirect=0 -d 
cgi.redirect_status_env=0 -n HTTP/1.1" 301 1718 "-" "Mozilla/5.0 (iPad; 
CPU OS 6_0 like Mac OS X) AppleWebKit/636.26(KHTML, like Gecko) 
Version/6.0 Mobile/10B5355d Safari/8636.25"

But what does it try to do? As this is a POST request, is there a way to see what data has been submitted with it?

My security actions are as follows: Disable every service I do not need, for those I really need, protect them with fail2ban, alternative ports (if possible), regular software updates and regular log file inspection. (Next steps would be, to regularly check for weak passwords and having some kind of intrusion detection mechanism)

My college kindly provides web space in form of an public_html directory. As I place content there, could I somehow monitor or log how often a given file is downloaded, and from whom? I think .htaccess may be of some help here, but this is just a guess that is why I am asking here: How to log or monitor access to my public_html directory without access to the apache server configuration?

First of all there is pdsh which is essentially a parallel distributed shell which may execute commands on a list of given hosts. However, I find myself in an IPv6 only problem setting. It seems that pdsh is not able to use IPv6, as I am getting error messages:

pdsh -w ^hostnames my_command
pdsh@myhost: gethostbyname("foobar") failed

I also tried to use IPv6 addresses only, which also didn't work. So how do you run a single shell script for administrative purpose (no SGE stuff, or similar) on a bunch of hosts that is IPv6 reachable only?

I just wondered if someone could install malicious firmware from remote on IPMI controllers (similar to a rootkit)? Is something like that possible? I though about installing a keylogger sending summaries over SNMP. I know normally IPMIs are in different subnets, protected by passwords,.. but commit that the attacker has knowledge to overcome those barriers.

I guess it should be easily possible to open the ssh port with a fake ssh server and collect passes (I guess they aren't plain anymore and became hashes) and corresponding logins, e.g. a honey-pot. The idea behind that is to build a database and test my accounts on those. Has anyone done that already?

If you might wonder what benefit I would expect on testing my accounts with those passwords, I would argue that passwords might change during time and I could eventually anticipate a "successful" ssh-attack.