Great responses, all. I should clarify that the box was not rooted. A vulnerability in the PHP code on the box was exploited to place tools on the machine. They had access to files that were owned by the user running apache. The only files that I could see that were changed were in the web root.
So, it wasn't through SSH, but many of your suggestions still stand to reason. Right at the moment, I can't do a fresh install, because the box is co-located. I'll read up on all the other stuff, though. Again, thanks for the enlightening suggestions. Scott /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
