A while back casus15.php was being found on a number of servers. According to one source at the time "Its a script that was created to excute system commands on your server using the system() function.". If you're running into casus15.php please drop us a note on your determination of how it was installed at your network.

casus15.php has shown up a few times at Zone-H DIGITAL ATTACKS ARCHIVE.

Googlebot's capture of one system, that caught a SSH connection, scroll to the bottom and catch;
_ENV["SSH_CONNECTION"] 200.74.99.107 4172 217.160.240.17 22

Thanks!