The php hack is possible through a PHP Shell script or perhaps an xmlrpc.php file that was outdated and vulnerable, it was not being uploaded by a system user, and owned by “nobody”, this should have been at least the account holder to see in temp where the script came from… See: http://www.deerberg-systems.de/statistik/summary/cgi.html
polonus