Spamming other servers virus via apache, how did it get in, and how to get it out?

[fugu2]

just because there is no changed files between your backup and current website, doesn't necessarily mean the problem absolutely is outside of /var/www, but it probably is. I would think XSS and CSRF would show up in the apache logs, but those could be possible problems especially if you wrote the site yourself (it can be easy for 1 person to miss some mistakes), and they would not need to alter any file on the website. If it is outside /var/www, then its possible someone got in from an other open service, maybe ssh server is running, maybe someone had physical access to the machine, etc. Without more information is hard to tell. I tend to believe the problem probably lies in /var/www or in apache itself, though, because the problem is leaving entries in the apache.log file.

[GiantCowFilms]

I do have a file upload form... shouldn't be able to do that, but maybe. I know why they are doing it, SEO back links.

PS
These are other people comments, not mine

[fugu2]

you might want to do a web search for 'file inclusion vulnerability' which might show you how it works, and how you might fix that problem if thats what you have.

[GiantCowFilms]

In the end it was a messed up proxy pass to node... where it wasn't locked to a domain, and they could use it for whatever the felt like, like spamming for backlinks.