OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those:



<rule id="31110" level="6">
 <if_sid>31100</if_sid>
 <url>?-d|?-s|?-a|?-b|?-w</url>
 <description>PHP CGI-bin vulnerability attempt.</description>
 <group>attack,</group>
</rule>

It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:



** Alert 1336547515.182029: - web,accesslog,attack,
2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log
Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'
Src IP: 93.233.72.66
93.233.72.66 - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

This rule is also in my repository.



Posted in   ossec   ossec-rules     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.