Getting reports of Redirections to Malicious/3rd Party websites?
Mailing IP landing up on tons of RBL's? Yup. It's possible... Dark Leech
I was surprised on my findings. The infection runs quitely. Don't bother tracking by file modification dates -- doesn't help.
I encourage everyone to run this if they have root to a shared server.
The script checks if your Apache installation is infected.
I could make the script cleaner, but it works. 
Mailing IP landing up on tons of RBL's? Yup. It's possible... Dark Leech
I was surprised on my findings. The infection runs quitely. Don't bother tracking by file modification dates -- doesn't help.
I encourage everyone to run this if they have root to a shared server.
The script checks if your Apache installation is infected.
Code:
#!/bin/bash
grep LoadModule /etc/httpd/conf/httpd.conf | grep -v \# > /root/apache_modules.log
grep "Include " /etc/httpd/conf/httpd.conf | grep -v \# | cut -d\" -f2 | xargs grep LoadModule 2>/dev/null | cut -d: -f2 >> /root/apache_modules.log
cat /root/apache_modules.log | awk {'system("strings /etc/httpd/"$3" |grep -E \"dlEngine|module switcher|INJECT_DO|xor_decrypt_string\"")'} > /root/apache_result.pid
apache_result=$(stat -c %s "/root/apache_result.pid")
if [ "$apache_result" -gt 10 ]; then
echo "INFECTED!"
else
echo "CLEAN!"
fi