Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is my site being attacked? Suhosin simulation, very strange activity in IP Log

I will preface this question by saying I am NOT a web developer, nor do I have much knowledge in this field. I am a business owner and have a low volume website that my customers purchase products on. I've noticed this set of queries a few minutes ago and they appear very suspicious to me, a layperson. It looks as if they are trying to pull data from my database? I could be totally wrong, but someone please let me know what they think is going on here.

Notes:

  1. All are listed with method of POST when most normal viewers are listed as GET.
  2. everything below occurs immediately after my domain name e.g. examplesite.com/xxxxxxxx

Here are the queries:

 /cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin%2Esimulation%3Don+-d+disable_functions%3D""+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi%2Eforce_redirect%3D0+-d+cgi%2Eredirect_status_env%3D0+-n

 /cgi-bin/php5?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin%2Esimulation%3Don+-d+disable_functions%3D""+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi%2Eforce_redirect%3D0+-d+cgi%2Eredirect_status_env%3D0+-n

 /cgi-bin/php4?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin%2Esimulation%3Don+-d+disable_functions%3D""+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi%2Eforce_redirect%3D0+-d+cgi%2Eredirect_status_env%3D0+-n

And about 6 more similar queries.

Notes: when I follow that link, my site gives an error of page not found. When I try to go to site.com/cgi-bin/ I get a stock 403 forbidden error from my host.

Thoughts please? Am I being paranoid here?

Edit: Also, in my file manager, my cgi-bin folder is empty: 'this directory is empty'.

like image 688
user3100907 Avatar asked Dec 13 '13 21:12

user3100907


2 Answers

Any website accessible on the internet gets pounded by automated attack attempts like this all the time. You can expect your server logs to be filled with this sort of thing. Most are nothing to worry about.

The best thing you can do is have someone monitor the security of your site for you. Whomever designed your site should have been following best practices, which take care of most security issues. If you are buying a web hosting plan (vs a VPS or dedicated server), then your web host will generally take care of security from the server standpoint.

Of course, there are always ways to attack a site. Keep an eye out for defaced pages. If you are storing any customer data, you should hire an expert.

like image 56
Brad Avatar answered Sep 25 '22 21:09

Brad


It is just bots probing for vulnerabilities. Happens to pretty much everyone.

like image 39
user602525 Avatar answered Sep 21 '22 21:09

user602525