I've noticed a 0 byte file called '.ugothacked' inside /tmp owned by user (let's call him userx)
It's a 0 byte file so i wasn't immediately concerned. I simply deleted it thinking that it may have been just some lame (failed) php/cgi hack attempt.
However the same 0 byte file reappeared a couple times more after I deleted it manually.
I've gone through the http logs for this user and haven't found anything suspicious although i only skimped through it.
I grepped through userx's entire homedir search for the string 'hacked' in all his files and nothing came up ...
So I am getting a little tired of playing this cat and mouse with whoever it is and was wondering if the more experienced folks here would have any tips as to how to trap/catch this guy in the act ie. at least find out what sort of process is writing that file and who/where/from where it was started.