Looking through my /var/log/httpd/error_log I see a bunch of these:
 

--00:51:53-- http://www.lawison.com/[B]linuxday.txt[/B]
=> `/tmp/.sosweet\'
Resolving www.lawison.com... done.
Connecting to www.lawison.com[202.61.102.4]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,388 [text/plain]
0K ... 100% 1.62 MB/s
00:51:53 (1.62 MB/s) - `/tmp/.sosweet\' saved [3388/3388]
--00:53:17-- http://www.lawison.com/[B]linuxday.txt[/B]
=> `/tmp/.sosweet\'
Resolving www.lawison.com... done.
Connecting to www.lawison.com[202.61.102.4]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,388 [text/plain]
0K ... 100% 3.23 MB/s

 
Anyone else getting this in your logs? I openned the file http:// www. lawison.com/linuxday.txt in IE browser and it set off my anti-virus! I assume it is some sort of server exploit script. After searching, sure enough found these:

• /tmp/.sosweet
• /tmp/.sosweet1
• /tmp/.sosweet2

I added lawison.com and 202.61.102.4 to the firewall blacklist, so maybe that will help.

=======================
Update: 08/18/06

Found this same thing on another server.  Coinsided with complaints of one user\'s PHPBB2 forum being unavailable at times recently.  It appears that this exploit is targeted towards PHPBB2 forums (suprised?).  Will add offending server to blocklist on all servers for preventative measures.