Strange POST requests to my Ubuntu server - am I in trouble?
Is probably a old Zero Day attack targeting Parallels Plesk Panel. If you are not running it, you should be pretty safe. This is a quote about how the attack is done from Computer World:
A command executed by the exploit contains several arguments that are intended to disable security mechanisms that might exist on the server, he said. These include the “allow_url_include=on” argument which allows the attacker to include arbitrary PHP code and the “safe_mode=off” argument. “As a final step Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns off the extra protection.”
In the POST request we can see the 3 vertices of the attack, which is in fact the first 3 commands sent -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on
. The rest is just crawling more in your server.
You may want to know more about the CVE-2012-1823 that address this issue. Parallels provided a workaround to protect their users/costumers. This issue has been fixed in all versions of Ubuntu, only old unmaintained servers are in danger. If you are using version equal or superior than 5.3.10-1ubuntu3.1 of php5-cgi, you are out of danger.