[CentOS] Strange Apache log entry

Sun Aug 22 22:33:31 UTC 2010
Gilbert Sebenste <sebenste at weather.admin.niu.edu>

On Sun, 22 Aug 2010, Gordon Messmer wrote:

> No, they didn't.  That's why you were warned that it was a potentially
> successful probe.
>
> The exploit requires that you are running php and have a script that
> includes a file referenced by the global variable "g" (or maybe the http
> request varible "g").  You should check the files that appear at the
> URLs indicated in your logs.  If any of those files are php, then you
> should further check those to see if they might include files based on
> the "g" variable.  If so, you may have been compromised.

Hello Gordon,

Thanks...you are right, those aren't 404 errors, I was looking at
something else. I checked through my logs, checked a bunch of files,
directories, and such...everything appears to be in order. I tried the
URL's they tried and all I got was my website and a 404 error for the two
links. I do have PHP installed, but I don't have any PHP scripts
running. If anyone else has any other suggestions, though, I'll keep
digging.

*******************************************************************************
Gilbert Sebenste                                                     ********
(My opinions only!)                                                  ******
Staff Meteorologist, Northern Illinois University                      ****
E-mail: sebenste at weather.admin.niu.edu                                  ***
web: http://weather.admin.niu.edu                                      **
*******************************************************************************