Do any of the GET requests in your access log correspond with CGI scripts which might run for a long time? I presume that the access log entry corresponds to when the script starts, not when it ends. The "sh" error messages may thus occur minutes after the corresponding GET entry in the access log.
In my case, the language that I'm using allows for me to request an exception if a shell command exits with a non-zero return code (the "misisng quote" error yields RC=1). So, each time I find one of these, I ensure that scripts which ran before the error get updated to trap non-zero return codes. I've found (and fixed) precisely one instance since I started this approach.
Do you have any suggestions for some way of mapping the sh error back
to the IP address making the request (assuming it's an external
request)? That would be helpful in attributing the error to a given
request, but I can't think of a way to do that.
