See: http://urlquery.net/report.php?id=71216 nothing detected…
Fagged here: http://www.unmaskparasites.com/web-page-options/?url=http%3A//t00ls.us&susp=1
Suspicious iFrame script onload handler, recently there was a post here for a similar issue with disboards dot com,
polonus
Hi Pol,
Yes site contains a inline script leading to PHP:Shell-BB[Trj] residing at htxp://www.sh3ll.org/egy.zip which is correctly blocked by avast web shield see screenshot.
That is mentioned there, but here I get in all instances all a HTTP/1.1 404 Not Found
→ Sh3LL dot org inurl c99.txt inurl c99.php inurl r57.txt inurl r57.php inurl locus.txt inurl locus.php etc.,
see: http://urlquery.net/report.php?id=71216
But as BitdefenderTrafficLight blocks it also, this might be a correct detection,
polonus
Hi Pol,
My bad…thats not just 1 site that takes to PHPshell trojan…there are different redirects to PHPshell-BB via different URL’s
More screenshots…
Looks like URLquery is somehow unable to interpret the redirects from the site…it seems like a alexa bar redirect via the site…
I found something more interesting…see screenshot…Looks like the same bady donovan has seen,doesnt it ???
Well here some are reporting similar issues: http://www.mywot.com/en/scorecard/sh3ll.org?utm_source=addon&utm_content=popup-donuts
Site is mentioned at the top of this list: http://hosts-file.net/?s=Browse&f=EMD malware severity high risk
Sh3LL dot org should be blocked. The redirect is missed because of this
< !-- saved from url=(0017)htxp://sh3ll dot org/ -->
All scanners come up green for htxp://t00ls.us/
polonus
this should be reported to avast i feel 
I guess i found it… 
[nothing detected] (iframe) t00ls.us/./Sh3LL.org
status: (referer=t00ls.us/)saved 503 bytes b643d90ded521792d67224f6208bae2911f657e5
info: [0] no JavaScript
file: b643d90ded521792d67224f6208bae2911f657e5: 503 bytes
Nothing is evident on above…but below something should be evident:
Here is the site that causes a redirect to PHPshell trojan
t00ls.us/ benign
[nothing detected] t00ls.us/
status: (referer=http:/twitter.com/trends/)saved 51356 bytes 787a990853a7adbc5494cfd78c1dfb7c63752bb4
info: [img] t00ls.us/./Sh3LL.org
info: [iframe] t00ls.us/./Sh3LL.org
info: [script] t00ls.us/./Sh3LL.org
info: [decodingLevel=0] found JavaScript
error: undefined variable s
info: [1] no JavaScript
file: 787a990853a7adbc5494cfd78c1dfb7c63752bb4: 51356 bytes
file: 90efc0d974b8958255eda9f2355b041ebeff7631: 93 bytes
We have it flagged now on VT:
https://www.virustotal.com/url/f5d2377b910aa26cbf594c91164741343fb3b719081cd0bb67b3074f61efb941/analysis/1340102811/
polonus
Also we have the network activity statistics from here: http://128.111.48.236/view.php?hash=e75f18b939071e7db8c473c1991101c9&t=1340102677&type=js
Still get with malzilla
The requested URL /Sh3LL dot org inurl c99.txt inurl c99.php inurl r57.txt inurl r57.php inurl locus.txt inurl locus.php inurl c100.txt inurl c100.php_files/saved_resource.htm was not found on this server Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
Think that is conclusive,
polonus
sure it is…reported to virus@avast.com for analysis