This appeears to be an inbound attack of some kind, yet the IPS alert says it is Outbound. Any thoughts? Also what's with the timestamps? Notice there is about 3 months time between the event time and then the begin/end time.
Edited: Sorry, completely forgot to mention but this internal IP is our Exchange 2010 server which has Outlook Web App set up for external access via port 443. Technically port 80 is open, but just goes to the IIS (or Exchange) error page since we do not have redirection enabled.
IP Address
Current: 192.168.5.5
When event occurred: 192.168.5.5
Local MAC: N/A
User Name: USER
Operating system: Windows Server 2008 R2 Enterprise Edition
Location Name: Location
Domain Name: SEP Domain 1
Group Name: My Company\SERVERS\2008 R2
Server Name: SERVERNAME
Site Name: SITENAME
Risk Detected
Event Time: 09/19/2014 05:36:49
Begin Time: 06/11/2014 18:08:59
End Time: 06/11/2014 18:08:59
Occurrence: 1
Signature Name: Web Attack: PHP CGI CVE-2012-1823 2
Signature ID: 27798
Signature Sub ID: 71150
Intrusion URL: OUREXTERNALIP/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
Intrusion Payload URL: N/A
Event Description: [SID: 27798] Web Attack: PHP CGI CVE-2012-1823 2 attack blocked. Traffic has been blocked for this application: SYSTEM
Event Type: Intrusion Prevention
Hack Type: 0
Severity: Critical
Application Name: SYSTEM
Network Protocol: TCP
Traffic Direction: Outbound
Remote IP: SOME IP IN BRAZIL
Remote MAC: N/A
Remote Host Name: N/A
Alert: 1
Local Port: 80
Remote Port: 50198