I actually worked at a hosting company and received some of the reports in this story, so it is pretty neat to see this post with the results.
What’s the approach to disclosure when a website is notified about a breach like this? All bets are off as to what information has been leaked, so I suppose you wouldn’t be able to guarantee that your users’ data hasn’t been compromised.
Depending on the age of the file you might be able to just check logs for 200 responses to GET /core.
This is a challenge you always have after you learned about a severe security vulnerability. What have you done after heartbleed? Or any other bug that has the potential to leak information?
To be honest: In this case I’d say just fix it and move on. If you have logs you can check whether someone else has tried to access that file. (To the best of my knowledge this issue wasn’t discussed publicly before my blogpost and article today. However I don’t know if others knew it and used it for attacks.)
I wonder how many shared PHP hosts are vulnerable to information leaking via: