Strange POST requests to my Ubuntu server - am I in trouble?

security php apache2

Is probably a old Zero Day attack targeting Parallels Plesk Panel. If you are not running it, you should be pretty safe. This is a quote about how the attack is done from Computer World:

A command executed by the exploit contains several arguments that are intended to disable security mechanisms that might exist on the server, he said. These include the “allow_url_include=on” argument which allows the attacker to include arbitrary PHP code and the “safe_mode=off” argument. “As a final step Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns off the extra protection.”

In the POST request we can see the 3 vertices of the attack, which is in fact the first 3 commands sent -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on. The rest is just crawling more in your server.

You may want to know more about the CVE-2012-1823 that address this issue. Parallels provided a workaround to protect their users/costumers. This issue has been fixed in all versions of Ubuntu, only old unmaintained servers are in danger. If you are using version equal or superior than 5.3.10-1ubuntu3.1 of php5-cgi, you are out of danger.

Related

Left Alt key should work as right Alt key (Alt Gr)
Can't get the shared clipboard to work on Ubuntu 14.04
System loses static IP address
trying to install libncurses dev package for ubuntu 14.04 [duplicate]
How to I get the right Pulseaudio profiles to show up without restarting Pulseaudio?
Find the user under which a Ubuntu service runs?
How to use CUDA with NVIDIA Prime
How to create new user with Public key authentication?
What is the difference between --init-file and --rcfile?
Unable to properly set static IP in Ubuntu 16.04
How to prevent SSHFS mount freeze after changing connection after suspend?
Restore Apple bootloader on an (Intel) Mac after an update-grub was run by an external Ubuntu installation