On Fri, Jun 17, 2016, at 09:30 PM, Michael Armbruster wrote:
Hi Paul,
assuming the default HTTP port, it was an attack to the port 80. Furthermore, the cryptic looking signs (%XX, whereas X is 0-9 or A-F), are url escaped characters. Unescaping them leads to something like this:
/cgi-bin/php-cgi?-d+allow_url_include=on+-d+safe_mode=off+- d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+- d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+- d+cgi.redirect_status_env=0+-n
...
Putting all those bits together, we can conclude that an attacker tried to access the PHP executable on the CGI path on a webserver and disabling various security features. The malicious code or data he tried to send to the server was sent via POST data. Though we cannot see the post data, so we can only speculate what the attacker tried to do. A good bet would be to upload a shell to the webserver to gain further access on the server, but that's only speculation.
Specifically, this looks like https://www.exploit-db.com/exploits/29290/ - server operators take note. GD