I'm using amazon linux on an m3.large instance on EC2. I had these logs before my apache server was shut down:
[Sun Sep 28 18:54:31.679261 2014] [cgi:error] [pid 32422] [client 67.211.230.58:58937]
script not found or unable to stat: /var/www/cgi-bin/wlogin.cgi
[Mon Sep 29 03:32:17.602213 2014] [cgi:error] [pid 13612] [client 173.45.100.18:42591]
attempt to invoke directory as script: /var/www/cgi-bin/
[Mon Sep 29 03:32:19.142561 2014] [cgi:error] [pid 13623] [client 173.45.100.18:43455]
script not found or unable to stat: /var/www/cgi-bin/hi
[Mon Sep 29 15:40:45.599504 2014] [core:error] [pid 17852] [client 80.82.64.145:51226]
AH00126: Invalid URI in request GET HTTP/1.1
[Mon Sep 29 22:53:46.532859 2014] [mpm_prefork:notice] [pid 10800]
AH00169: caught SIGTERM, shutting down
And.. that's it. My httpd service was shut down.
What I'm smelling here is that some people are trying to access the server by executing CGI scripts with GET request which I found to suspect in this line:
script not found or unable to stat: /var/www/cgi-bin/hi
Here what the hell the "hi" supposed to mean unless it's not an exploiting attempt?
Also:
attempt to invoke directory as script: /var/www/cgi-bin/
They all are coming from thge same ip, 173.45.100.18.
Am I under DDoS and other malicious attack, or something arcane going on?
