I've seen an attack like this before on a server running a commercial shopping cart software - not sure if that's relevant, but the attacker had to gain access somehow.
It was accompanied by HTTP requests to non-existing files, like in your case 223987.php, which would run the script...