There's been a couple of exploits floating around lately. I've recently upgraded to the latest PHP and mod_php versions and have manually updated a phpbb file (viewtopic.php) which also had a problem (see http://www.phpbb.com/phpBB/viewtopic.php?t=240513
for geeky types)
There is a way to track the "attempts" to execute these things and I have logged 195 separate IP addresses using the above viewtopic exploit. While I haven't decided exactly what I am going to do, I have blocked 'permanently' a large block of IPs from the same domain.
If you have any questions / comments feel free to PM me. If you noticed the server running slow over the past few days this is most likely the reason.