Might want to add
SecFilter "tar/x20"
SecFilter "go.ro"
SecFilter "chmod/x20"
SecFilter "wget"
SecFilter "rm/x20-rf"
This should help, of course, make sure mod_security is active on servers, also remove that script, and when the process is running, use ps -u nobody to get the pid, then go to /proc/(pid) and ls -al. You may see some virtual linked files to where the files are, usually /dev/shm, or /tmp, sometimes /var/spool i've seen, sometimes even /usr/local/apache/proxy, also cat the process's enviroment, might be able to pull a directory from there.
Also, this shouldn't cause any issues with regular sites, seems to be using Awstats exploit via script, or he's just uploading a script and calling it that
SecFilter "awstats.pl"
Since people should be acessing Awstats via Cpanel regardless shouldnt cause any issues.
Thanks,
Kris
Kris@HostMerit.com