See: http://urlquery.net/report.php?id=75759
2012-06-26 10:29:00 199.115.230.112 urlQuery Client ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell
2012-06-26 10:28:38 95.211.27.206 urlQuery Client ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS
2012-06-26 10:28:38 95.211.27.206 urlQuery Client ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS
(see: http://forum.avast.com/index.php?topic=98322.msg784114#msg784114 thanks go to poster !Donovan)
Closed malware from domain: Trojan/Generic.uzmz,
Live malware TR/Agent.35840, TR/Spy.SpyEyes.afpw & TR/Dldr.BoCafe.B
Last mentioned malware is detected by avast: https://www.virustotal.com/file/1ce8eaa54f1c3e13316c96548bf694722b3ea122de5aba3e14ba635489ba20b4/analysis/
and is OVERDUE being active for over 593.3 hrs

polonus

The return I have is a php as gif that can be used for malicious purposes.

“0/38 (0.0%) unknown_html_RFI_php”
https://www.virustotal.com/file/ab52e0fc34097bb56fb6b4ea267858869f5c2f3a9d68c249e1051aad7dfcceed/analysis/

Hi !Donovan,

This is PHP/WebShell PHP/BackDoor.AR PHP malcode via SQL injection
also used in the well-known DNSChanger Malware.

Main culprit is login.php because it is not filtering variables correcty. This is a form-based attack. Each html form will be processing and submitting form elements using php scripts, if it hass written something like action=”<?php echo $PHP_SELF;?>” ==> this will mean php script is calling itself and processing thereof is done within same script,

Quote info source: virus.eu's pentester and ethical hacker Saad Abbasi

polonus