{"id":13,"date":"2012-05-09T22:55:00","date_gmt":"2012-05-09T22:55:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=13"},"modified":"2020-06-29T23:07:44","modified_gmt":"2020-06-29T23:07:44","slug":"ossec-rule-for-the-php-cgi-vulnerability","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2012\/05\/ossec-rule-for-the-php-cgi-vulnerability\/","title":{"rendered":"OSSEC rule for the PHP-CGI vulnerability"},"content":{"rendered":"\n<p>I am seeing many scans for the&nbsp;<a href=\"http:\/\/blog.sucuri.net\/2012\/05\/php-cgi-vulnerability-exploited-in-the-wild.html\">PHP-CGI vulnerability<\/a>&nbsp;in the wild and put up a quick OSSEC rule to detect\/block those:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;rule id=\"31110\" level=\"6\">\n&lt;if_sid>31100&lt;\/if_sid>\n&lt;url>?-d|?-s|?-a|?-b|?-w&lt;\/url>\n&lt;description>PHP CGI-bin vulnerability attempt.&lt;\/description>\n&lt;group>attack,&lt;\/group>\n&lt;\/rule><\/code><\/pre>\n\n\n\n<p>&nbsp;<br>It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>** Alert 1336547515.182029: - web,accesslog,attack,\n2012 May 09 03:11:55 (honeypot3) any->\/var\/log\/httpd\/access.log\nRule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'\nSrc IP: 93.233.72.66\n93.233.72.66 - - &#91;09\/May\/2012:07:11:55 +0000] \"GET \/index.php?-s HTTP\/1.1\" 200 39479 \"-\" \"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko\/20100101 Firefox\/12.0\"\n<\/code><\/pre>\n\n\n\n<p>This rule is also in my repository and you can download the latest from&nbsp;<a href=\"https:\/\/bitbucket.org\/dcid\/ossec-hids\/get\/tip.tar.gz\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I am seeing many scans for the&nbsp;PHP-CGI vulnerability&nbsp;in the wild and put up a quick OSSEC rule to detect\/block those: &nbsp;It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected: This rule is also in my repository and you can download [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/13"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=13"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":14,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/13\/revisions\/14"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}