I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those:
<rule id="31110" level="6"> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule>
It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:
** Alert 1336547515.182029: - web,accesslog,attack, 2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.' Src IP: 184.108.40.206 220.127.116.11 - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
This rule is also in my repository and you can download the latest from here.