distributed spamming/scamming scheme?

[lists <justinf () innocence-lost net>]

hi et al,

over the last week or two it has come to my attention at least 2 of our 
boxes were hacked- these boxes are shared servers for web hosting for the 
company i work for. It appears that weak passwords were the cause and 
several accounts were compromised. The attacker(s) get the passwords, 
upload some cgi's, run them, then delete them (my guess here is because 
ftp is chrooted they do this to run as the www user), they download 
.htaccess/.htpasswd files, and also upload:

fake usbank login pages, they are done via meta tags that load the real 
page but use javascript to catch the login info.

then email lists of people to spam with requests for them to login to 
their usbank account, fake link to usbank, you know the drill.

the hosts come across lots of various domains, but not all of them seem to 
be interactive logins- or at least that is my guess.

on this particular server they uploaded a file named bangbrosdat.exe , 
most of the logins just download the file and close their connection- a 
few others grab .htaccess/.htpasswd files, upload cgi's and actually do 
the deleteing of things.

I believe the bangbrosdat.exe file has some relation to bangbus.com 
because in the logs ive seen other files named like bangbus.txt, on one 
server i found 4.4MB's of lists of email addresses that were zipped up- 
they were seperated into different directories all named like foo.com or 
whatever.net, etc- none of these sites we host, so it appears they steal 
user email address lists also.

another interesting thing is these people never attempt to actually root 
the box, they are happy w/ ftp access and being able to execute cgi's.

I've only found 1 cgi, it was named u.pl and it grabbed the system time, 
path then did a crypt with the results of both and printed out the system 
time, path and the length of the encryption- my guess here is for later 
cracking of the .htpasswd files. 

I still have yet to figure out how exactly they are sending the spam 
through our servers, there are a lot of vuln formmail program on the box, 
but the server logs dont reflect their usage (keep in mind root was not 
obtained and there are no signs to make one think that it was). Watching 
network traffic I don't see anything other than a lot of outbound smtp 
traffic and the normal stuff. I don't see any unusual processes, or cron 
jobs so my only guess is that its done through a custom cgi they upload 
and execute then delete.

why i am writing this is because with as many hosts as they come from, i 
cannot be the only person who has encountered them, they also do ebay 
spam/scams and yahoo finances spam/scams, and because they've missed one 
cgi here and there, and they leave such an audit trail I'm looking for 
cgi's uploaded by them to other servers.

has anyone encountered this? does anyone have anymore of their mo?
etc.

jnf