我在VM上安装了Ubuntu Server 12.04.此服务器已安装apache2-mpm-prefork 和libapache2-mod-php5 .我正在查看日志,最近遇到了这些相当可疑的条目：

xx.xx.xx.xx - - [20/Jan/2014:09:00:04 +0000] "HEAD / HTTP/1.0" 200 274 ...
xx.xx.xx.xx - - [20/Jan/2014:09:00:23 +0000] "POST /cgi-bin/php?%2D%64+...
xx.xx.xx.xx - - [20/Jan/2014:09:00:25 +0000] "POST /cgi-bin/php5?%2D%64...
...

在php之后解码内容？…导致以下结果：

-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d
  disable_functions="" -d open_basedir=none -d
  auto_prepend_file=php://input -d cgi.force_redirect=0 -d
  cgi.redirect_status_env=0 -n

这是我应该关注的吗？

解决方法:

可能是针对Parallels Plesk Panel的旧零日攻击.如果你没有运行它,你应该非常安全. This is a quote about how the attack is done from Computer World：

A command executed by the exploit contains several arguments that are intended to disable security mechanisms that might exist on the server, he said. These include the “allow_url_include=on” argument which allows the attacker to include arbitrary PHP code and the “safe_mode=off” argument. “As a final step Suhosin, a PHP hardening patch, is put into simulation mode. This mode is designed for application testing, and effectively turns off the extra protection.”

在POST请求中我们可以看到攻击的3个顶点,实际上是发送的前3个命令-d allow_url_include = on -d safe_mode = off -d suhosin.simulation = on.其余的只是在您的服务器中爬行更多.

您可能想要了解有关解决此问题的CVE-2012-1823的更多信息. Parallels提供了workaround to protect their users/costumers. This issue has been fixed in all versions of Ubuntu,只有旧的未维护服务器处于危险之中.如果你使用的版本等于或高于php5-cgi的5.3.10-1ubuntu3.1版本,你就没有危险了.