OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those:

<rule id="31110" level="6">
<description>PHP CGI-bin vulnerability attempt.</description>

It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:

** Alert 1336547515.182029: - web,accesslog,attack,
2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log
Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'
Src IP: - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

This rule is also in my repository and you can download the latest from here.


  1. I know this if off topic but I’m looking into starting my own blog and was wondering
    what all is needed to get setup? I’m assuming
    having a blog like yours would cost a pretty penny?
    I’m not very internet smart so I’m not 100% sure.
    Any suggestions or advice would be greatly appreciated. Kudos

Leave a Reply

Your email address will not be published. Required fields are marked *