html
These error messages appearing in /var/log/apache2/error.log indicate a probing attempt:
[Thu Oct 31 06:59:04 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php [Thu Oct 31 06:59:08 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php5 [Thu Oct 31 06:59:09 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
This is essentially a scanner looking for vulnerable PHP-CGI installations (CVE-2012-1823 vulnerability). The attacker is checking multiple common PHP-CGI executable locations.
Option 1: Disable CGI module if unused
sudo a2dismod cgi sudo service apache2 restart
Option 2: Implement security restrictions
Add this to your Apache config (/etc/apache2/conf-enabled/security.conf):
<Directory "/usr/lib/cgi-bin">
Require all denied
</Directory>
For Ubuntu 12.04 systems:
- Upgrade PHP to supported version (PHP 5.3 is EOL)
sudo apt-get install python-software-properties sudo add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt-get install php5.6
- Update Apache modules
sudo a2enmod php5.6 sudo service apache2 restart
Create /etc/fail2ban/filter.d/apache-php-cgi-probe.conf:
[Definition] failregex = ^<HOST>.*script not found or unable to stat: /usr/lib/cgi-bin/php ignoreregex =
Then add to jail.local:
[apache-php-cgi-probe] enabled = true port = http,https filter = apache-php-cgi-probe logpath = /var/log/apache2/error.log maxretry = 3 findtime = 3600 bantime = 86400
After implementing changes:
sudo tail -f /var/log/apache2/error.log sudo fail2ban-client status apache-php-cgi-probe php -v
This should show your updated PHP version and no more probing attempts getting through.
When checking my Apache error logs (/var/log/apache2/error.log), I noticed multiple attempts to access non-existent PHP CGI scripts:
[Thu Oct 31 06:59:04 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php [Thu Oct 31 06:59:08 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php5 [Thu Oct 31 06:59:09 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi [Thu Oct 31 06:59:14 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi [Thu Oct 31 06:59:14 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php4
These errors indicate someone is probing your server for vulnerable PHP CGI configurations. While the attempts failed (because the files don't exist), it's a clear sign of automated scanning for common PHP-CGI vulnerabilities like CVE-2012-1823.
1. Verify your PHP installation:
sudo apt-get install php5-cgi
2. Check your CGI configuration:
# In /etc/apache2/mods-enabled/cgi.load LoadModule cgi_module /usr/lib/apache2/modules/mod_cgi.so
3. Secure your CGI directory:
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Require all granted
</Directory>
If you're not using CGI scripts, you can completely disable this feature:
sudo a2dismod cgi sudo service apache2 restart
Consider adding these IPs to your firewall rules or fail2ban configuration. Here's a sample fail2ban filter:
[Definition] failregex = ^.*$$error$$ \[client <HOST>\] script not found or unable to stat: /usr/lib/cgi-bin/php.*$