The attacks most likely take advantage of register_globals, so as long as it's off you should be OK. In you logging script it should be very simple and you should not use relative paths (to the logging file, that's what the include_path URLs are trying to attack).
Sorry to be dense, but how do the include_path URLs take advantage of relative paths? I figured that the malicious URLs (text files) were just using my site's server as a resource to serve another site---i.e. to run malicious .php code?
I do have these set to "Off" in php.ini:
file_uploads = Off
allow_url_fopen = Off
allow_url_include = Off
Here is my mod_rewrite; I guess it would be clearer to say that I do a rewrite in .htaccess and a redirect in php. In addition to %{THE_REQUEST}, I also check %{REQUEST_URI} and %{QUERY_STRING} for these matches:
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{THE_REQUEST} chdir|upload|include_path|hack|file|http://|ftp [NC,OR]
RewriteCond %{THE_REQUEST} paypal|config|myftp|include|txt [NC,OR]
RewriteCond %{THE_REQUEST} dll|apache|\.\.+|//+|%0a|%0d [NC]
RewriteRule (.*) http://mydomain.com/404.php?error_here=true
# SAW THESE ON ANOTHER FORUM AND PUT THEM IN JUST IN CASE.......
RewriteCond %{REQUEST_METHOD} ^CONNECT$ [OR]
RewriteCond %{REQUEST_METHOD} ^SEARCH$
RewriteRule ^.*$ %N [F]
When the URL is rewritten to http://mydomain.com/404.php?error_here=true , that URL is redirected (using php) to http://mydomain.com/404.php.
I do the two redirects (rewrites is maybe a better word) to make sure it shows up in the raw access log (maybe overkill). If I remember correctly, it was not showing up in the log without the extra redirect---it was just rewriting the URL in the user's browser.