Someone testing for CGI?

BottyZ

Member
Jul 31, 2015
15
0
1
Nottingham UK
cPanel Access Level
Root Administrator
Hi all,

Really quick query for you I'd imagine. I've started seeing the occasional cgi error appearing in my error log on the vps, such as the following:

Code:
[Sun Jan 17 13:25:19.808822 2016] [cgi:error] [pid 7648] [client 191.236.119.223:1129] AH01215: (13)Permission denied: exec of '/usr/local/apache/cgi-bin/test-cgi' failed: /usr/local/apache/cgi-bin/test-cgi
[Sun Jan 17 13:25:19.809020 2016] [cgi:error] [pid 7648] [client 191.236.119.223:1129] End of script output before headers: test-cgi
Code:
[Thu Jan 14 17:20:53.060766 2016] [cgi:error] [pid 15159] [client 76.245.202.19:56494] AH02811: script not found or unable to stat: /usr/local/apache/cgi-bin/php4
[Thu Jan 14 17:20:53.320570 2016] [cgi:error] [pid 14712] [client 76.245.202.19:56502] AH02811: script not found or unable to stat: /usr/local/apache/cgi-bin/php5
[Thu Jan 14 17:20:54.117204 2016] [cgi:error] [pid 15225] [client 76.245.202.19:56535] AH02811: script not found or unable to stat: /usr/local/apache/cgi-bin/php
[Thu Jan 14 17:20:54.397840 2016] [cgi:error] [pid 16299] [client 76.245.202.19:56544] AH02811: script not found or unable to stat: /usr/local/apache/cgi-bin/php5-cli
[Thu Jan 14 17:20:55.217138 2016] [cgi:error] [pid 15329] [client 76.245.202.19:56582] AH02811: script not found or unable to stat: /usr/local/cpanel/cgi-sys/php5
[Thu Jan 14 17:20:55.477713 2016] [cgi:error] [pid 15146] [client 76.245.202.19:56592] AH02811: script not found or unable to stat: /usr/local/apache/cgi-bin/php.fcgi
[Thu Jan 14 17:20:55.734498 2016] [cgi:error] [pid 16404] [client 76.245.202.19:56605] AH02811: script not found or unable to stat: /usr/local/apache/cgi-bin/index.cgi
I don't have any cgi scripts and have disabled them as far as I know. The only user on the vps is for my employers website and is managed by me (so no external users). The error above looks as if someone is attempting to use a cgi script on the vps, but is failing due to the fact its not enabled.

Is it something to worry about? Would someone have to have already gained access to the vps to be able to even attempt the above?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello :)

You can block the individual IP addresses in your firewall. I suggest installing a firewall management utility such as CSF if you have not already done so. The requests on their own are not harmful, but rather indicate an access attempt from a person or script that's likely checking for vulnerabilities.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
It is likely someone scanning for the old shellshock exploit (which has been patched for some time) but you would need the apache access logs from around that same time to verify.