what door or window did I leave open this time?

[Jude DaShiell]

A debian system I had running was very badly hacked.  This was debian 
speakup 2.6.18 kernel.  I decided to write a cs script to run clamscan and 
found a really easy way to write that script and was planning on sharing 
that technique until I had a listen of part of the log file I had the 
script make for me.  Then it was time to preserve what I could and erase 
partitions and install a new system.  I'm most interested in what door or 
window I had left open for this hack to have happened.  Activity on the 
system was downloading podcasts which were preserved and also doing some 
ssh connections but sshd_config and ssh_config had been modified to not 
listen on any port; permit root login was disabled, and X11-forwarding was 
also turned off.
What follows is the part of the log I preserved:



-------------------------------------------------------------------------------


Unpacker process 11675 stopped due to exceeded limits
//usr/share/doc/lg/108/misc/laundrette/laundrette-108.txt: HTML.Phishing.Bank-1 FOUND
//usr/share/doc/lg/112/lg_laundrette.html: HTML.Phishing.Bank-164 FOUND
//usr/share/doc/lg/issue85/misc/mahoney/c.img.gz: GZip.ExceededFileSize FOUND
//usr/share/doc/lg/issue86/TWDT.txt.gz: Exploit.IFrame.Gen FOUND

Beyond that, here's a copy of cs script used with clamscan:
#!/bin/bash
# file: cs - clamscan script
clamscan -l clamscan`date -I`.log -r --bell --exclude=/dev --exclude=/proc --exclude=/pts --exclude=/tmp -i --detect-broken --block-encrypted --block-max --max-files=500 --max-space=10M --max-recursion=8 --max-ratio=250 --max-mail-recursion=8 --max-dir-recursion=15 --deb=/usr/bin/dpkg-deb / *

How I found that script so easy to write was I put each command line 
option on its own line after clamscan and when the several lines had all 
of those options I used the join command in ex to join those lines into 
the clamscan command you find in that script.