A version of Zencart was slightly out of date on a customers account (Despite them having fantastico to be able to update it, sigh...) and that one account on the server was compromised.

In addition to the usual stuff I'd expect to find, like r57 and a whole bunch of php and text files to be used to aid the (pretty dumb) botnet herder, I found a couple of files with html in them.

What got me, was the files were effectively used to advertise a web host, and one appeared to be from an SEO company.

I'm not sure if I should mention either of them by name, though the webhost has been mentioned on WHT for not paying its referrals.

Is this common? (not the rfi exploit, but using it to advertise a webhost)

Should I mention the name of the webhost and SEO company in question? (I'd like to find out if anyone has similar experience)

I had thought about contacting them, although my servers are in the US, UK law applies to people gaining unauthorised access, but I'm pretty sure doing so would achieve nothing except waste my time and incur international telephone charges.

And finally, not really a question, but why oh why can I not update fantastico scripts from WHM instead of having to log in using the customers user/pass which I don't always have?