[SOLVED] Security Concerns

[nuke3d]

A while ago I've found a folder called ".X08-unix" in my /tmp dir, it contained a variety of exploit and flooding scripts, as well as the source code of an IRC bot. There was also an executable called "sh" that was running and all it did was to try to connect to "some_ip":6667 all the time.

So someone managed to upload all these files into my /tmp dir, and then run an executable. All that was apparently done with the user "vu2000".
Using the process running time (etime) I got an aproximate date of when the intrusion took place, so I ran trough all the logfiles in /var/log looking for hints on how this could have happened, but there was nothing suspicious besides the occasional and normal bruteforce attempts scanning for phpmyadmin and similar stuff.

vu2000 only runs ispCP and RoundCubewWebmail, so the security flaw has to be in one of these two scripts.

I'm using ispCP RC6 on a fully updated debian etch. The only modification I've done (as far as I remember) was to add /tmp to the open_basedir in the php.ini (this probably enabled the attacker to write to /tmp, but removing that wouldn't solve the problem, as there is still the phptmp dir).

Does anyone have another idea on how I could find ou how it happened?