Looks like they may be attempting to attach a file for some purpose, but there is no file there unless you removed it. PHP is often a security hole if not patched so quite often php ports are scanned, but there is usually a file path to a script at the end.

Thanks keyplr.

That page used to (more than three years ago) have a PHP submission form.

Any PHP vulnerability wouldn't work any ways on the html page.

For anyone who considers PHP vulns are a likely issue, this may be of interest... Active Exploit Attempts for PHP-CGI Vuln [blog.spiderlabs.com]

[edited by: incrediBILL at 10:19 pm (utc) on May 9, 2012]
[edit reason] fixed URL [/edit]

That link failed for me but note that there are new updates for PHP to cover serious flaws that were recently accidentally exposed.

From threatpost.com...

"The vulnerability affects PHP sites in CGI-based setups and can enable an attacker to get access to the site's source code by passing certain queries to the PHP binary as command-line arguments. The bug was disclosed last week before a patch was available through a mistake in the PHP Group's internal bug-handling system."

So it could be the reason for wilderness' hack attempt.

A year ago, one of my sites on a shared hosting service was hacked. The perp didn't gain access through my site, but through another account residing on my server because that web master was using custom php scripting with improper permissions in a directory, and probably Globals set to On in the php.ini.

Just found this in my logs today. Did this guy gain access?

177.8.168.n - - "POST //?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 302 - "-" "-"

This was suggested htaccess addition:
RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]

I have an ecommerce site using osCommerce. Suggestions?

HTTP/1.1" 302 -

gg,
the 302 is a redirect to another page.

Hi wilderness. I am such a dufus. What could they possibly be doing with the redirect? Scenarios? What can I do about it? I have contacted my host. I have blocked the 177 IP. I have added the htaccess code. Anything else?

They don't "do" anything with the redirect. Your server creates the redirect.

Your site returns "302" for their initial request. The "302" response also tells them to make a new request for a different URL - which they may or may not have done. However, if they did make a new request be aware that any attached parameters are stripped in a redirect when the operation is a POST.

[edited by: g1smd at 7:26 pm (utc) on May 23, 2012]

OK, I guess what I am trying to say is I would prefer that the server I am on not process any request that looks like that. The htaccess code should be doing that in future. I can't read the request. It is jibberish to me. Can someone please translate it?

I'm guessing it is a random probe. Should I be worried?

Check out [webmasterworld.com...]