OK I think I have identified what this is, it appears to be an infection mechanism for search engine result spoofing, folks should check their .htaccess files for anything that looks suspicious.
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/If you decode one of the URLs from your logs, and somehow find that page in a search engine e.g. Google, only the first time that you go to that page as referred from Google, and only a certain percentage of the time, it will bring up a completely different spammer style web page. Only the first time that you mouse over one of the links, it will give you a dubious-looking URL with an IP address in it, the next time that you mouse over the link it will show a link that looks normal. Needless to say, do not click on the questionable link!
Jonathan -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist
