The one time I've seen hnc.cgi, it was in the location that ebizindia stated, which was the user's cgi-bin/ directory.
Here it is being uploaded:
Code:
[b]Sep 25 05:52:19[/b] host pure-ftpd: ([email protected]) [NOTICE] /home/victim//www/cgi-bin/hnc.cgi uploaded (35024 bytes, 67.26KB/sec)
then executed:
Code:
example.com:195.189.226.220 - - [b][25/Sep/2008:05:52:19 -0400][/b] "GET /cgi-bin/hnc.cgi HTTP/1.0" 200 1 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
and then removed:
Code:
[b]Sep 25 05:52:20[/b] host pure-ftpd: ([email protected]) [NOTICE] Deleted www/cgi-bin/hnc.cgi
You're not finding it on the filesystem because it's probably getting deleted immediately after being executed. Check your syslogs for any FTP activity related to the file:
# cd /var/log
# zgrep hnc.cgi messages*
edit: also check any domain logs in /usr/local/apache/domlogs for "hnc.cgi" as well.
more edit: in case I wasn't all too clear, the issue in the logs shown above occurred because the attacker had, somehow, obtained the user's cPanel password, which allowed them to upload the file via FTP. Once you find the cause of the script getting onto your server, make sure you change that user's password, tell them to never use any old passwords they've used before (since at least 1 is known by someone else), and it would probably be a good idea for the user to install/update/run a full antivirus scan on their own computer, in case that was the cause of their password getting stolen (e.g., the customer's home computer is trojaned, being keylogged, etc).
Do let us know what you find out please.