2

I am setting up a server with php support.

In few days on-line, I have been target (unsuccessfully) with the typical attack:

"201.212.25.79 - - [29/Jan/2014:06:17:03 +0000] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 834 "-" "Mozilla/5.0 (compatible; Zollard; Linux)""

I am afraid that sooner or later one of these attacks might be successful. I read that by commenting out from the apache config file the directive:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ 
AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch 
Order allow,deny 
Allow from all

the server can be more secured.

What is the use of this part of the apache config file?

Dave M
  • 4,514
  • 22
  • 31
  • 30
user3256539
  • 21
  • 1

1 Answers1

2

I believe what you face is this exploit: http://www.exploit-db.com/exploits/29290/

The only/better solution is to update your PHP!

PHP binaries patched with # CVE-2012-1823 are not affected by this hack.

Semirke
  • 314
  • 1
  • 2
  • Hi Semirke, I really appreciate your advice, certainly it's something I will do, thanks. It is possible for you to comment about of the use of the directive ScriptAlias, please? Dan – user3256539 Feb 04 '14 at 12:46
  • Ofc! :) If you remove, it wont work. If you plan on removing, then copying the file to the aliased location, your site wont have access to it. Im not quite sure if it is a good thing to place php symlinks or binaries under your sites /cgi-bin. – Semirke Feb 05 '14 at 13:31