is this malcious traffic?

Question

I was reviewing my server logs, when I came across several thousand this gem: from a multiple IP addresses: My question is what is all this junk? what is this trying to execute? I am pretty sure that I am not using CGI-BIN for anything. I am running an Ubuntu 13.04 server.

it reads:

69.64.59.8 - - [18/Dec/2013:16:12:43 -0500] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 493 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"

which translates into:

• • [18/Dec/2013:16:12:44 -0500] "POST /cgi-bin/php.cgi?-dallow_url_include=on-dsafe_mode=off-dsuhosin.simulation=on-ddisable_functions=""-dopen_basedir=none-dauto_prepend_file=php://input-dcgi.force_redirect=0-dcgi.redirect_status_env=0-n HTTP/1.1" 404 497 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"

Answer 1

It's malicious traffic but I'd wager it isn't directed. It'll most likely be an automated script or botnet scanning for vulnerabilities.

These sorts of URLs represent buffer overflows to make PHP (et all) execute arbitrary code. It's an attempt to gain access to your server so that the attacker can then control it to attack other servers, host malware and send spam.

The hosts attacking your server are likely just other people's computers and servers. They've been enslaved in a botnet to do bad stuff. And just because it says iPad doesn't mean it is an iPad. A user agent can be easily spoofed.

---

There's nothing you can do to prevent people making these requests. There will always be a pool of computers out there making them at some point or another.

But if you have the time, report the attacking IPs to their ISPs.

This isn't a case of getting somebody in trouble, it's about letting those ISPs notify their clients that they need to clean up their machines. And if things persist, to get those machines off the Internet. If more people did this, the Internet would be a safer place.

You can just whois <ip> to get the abuse email, but here's a line to distil it down to just the email address:

whois 69.64.59.8 | grep abuse | grep -Eo '\S+@\S+' | sort -u

And ping them an email that covers the basic information about the attack.

For handling many of them, you could awk your logs for attackers with something like:

awk '/cgi/ {print $1}' /path/to/logs | sort -u

And then just work your way through them. You could even chain the two together to make things even easier:

awk '/cgi/ {print $1}' /path/to/logs | sort -u | xargs -i% bash -c "echo %; whois % | grep abuse | grep -Eo '\S+@\S+' | sort -u; echo"

The only problem there is you'll lose your reference to the log entry. That may or may not be a problem depending on the email you're planning on writing.