How to secure servers from a cgi-bin/php POST request attack

brute-force-attacks centos7

We got a POST request to our server with the following in it:

%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%F%69%6E%70%75%74+%2D%6E

Using url decode this translates to:

cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env file=php://input -n

It seems to be similar to Strange URL requests via Nginx on Ubuntu 14.04, what is the malicious user trying to do?. In what scenario would the request work? I see from the logs we sent a 404 but I want to make sure we don't have any other box that may be vulnerable to it.


Many years ago people used to run PHP as a CGI script (not even FastCGI, it didn't exist yet!) in part so that they could switch Apache from its low-performance prefork MPM to the new and somewhat higher performing worker MPM. (And nginx was unknown yet, it was that long ago.) If a server was set up to run PHP as a CGI script, then you could call the PHP interpreter directly at /cgi-bin/php.

PHP technically still could be installed as CGI, but it turned out not to be as performant as people were hoping, thus FastCGI was invented. All current high performance PHP sites use FastCGI/FPM, generally with nginx or sometimes with Apache's event MPM. FastCGI/FPM are not vulnerable to this as they do not permit PHP to be called directly through /cgi-bin.

If your server isn't an ancient rotting pile of PHP run as CGI, then you need not worry about this request.


The general problem is command injection. Made easier by old insecure CGI configurations allowing php execution direction, although a modern web server that sent a 404 isn't vulnerable to this specifically.

You prevent it by removing CGI where it is not needed, locking down the web server with file permissions and maybe SELinux, and securing your web apps. Open Web Application Security Project Testing Project has some general advice.

Related

Can MTA send mail via a relay without being told so?
Tmpfs vs NVME SSDs from performance POV [duplicate]
Most wanted feature for Windows Server Update Services (WSUS) 4.0 [closed]
Anti-Rootkit programs
Monitoring system that scales to 1,000 hosts and 100,000 variables
Does Windows have symlinks?
How to add a linux user with a random or invalid password from a script
How can I convert a logical partition to a primary partition?
Inexpensive degaussers or HDD shredders?
Preparing to sell a server
Nagios plugin to take process snapshot when load is high
VP is demanding admin access to PC to install apps - What is a good containment strategy? [duplicate]