Can anyone explain this php code injection attack to me?
I've been receiving requests for unexpected urls on my server.
Specifically one for /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
This seems to be happening every few hours.
I ran the url through http://www.url-encode-decode.com/ and it comes out as:
phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n
What is the attacker trying to do here?
Answer
Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this).
Using -d parameter injection to PHP binary attacker disables various protection mechanisms your PHP might have in place and executes PHP code directly by using auto_prepend_file (automatically executes PHP code before processing any PHP file), while php://input is a stream of POST request data.
Unless your web server logging is custom you probably won't find out what attacker had in the POST request (POST data are not being logged normally).
Check your PHP, eg. using a script like this:
<?php phpinfo();
PHP version is on the first line, compare that to CVE definition. If you're using a vulnerable version, update it ASAP, also look for Server API line there, if it does not contain something with CGI you should be safe for the moment, but using an obsolete PHP version is never good.