ANSWER:

That it is a c99shell installed in your joomla site and probably is encoded. It will be hard to detect if it is encoded. You can detect where the file is installed by changing some settings in php.ini. I did this to detect:

1. change the php.ini setting to disable_functions and I disable ini_get. Those shells rely in this function to find out which are your php settings.

2. copy that url of your logs and put it in your browser. Then go to your logs in apache to find out which file is complaining that ini_get is disable it.

3. Go to that file(s) and open it and you will see that you have a file that is encoded, deleted and try again.

Other people use the command find to detect these shells. In my case that is what it worked. I advice that you should hardened your apache, php.ini and install mod security. Those will help a lot.

by cayerdis from http://serverfault.com/questions/383489