Comment Identified about 5 months ago (Score 2, Informative) 437
I identified this rootkit in a system about 5 months ago and slightly documented some behaviours of it (I think only behaviour I've missed was numerical directory thingy). Related blog post 25.08.2007 - http://ferruh.mavituna.com/makale/exploit-paketleri/ ).
There is one more thing to add, it modify all valid HTTP responses, add .js after body tag in all interfaces. There was one article that mentioned most of the compromised servers based UK, it was same for me. And considering it's been about 5 months, I assume UK websites were prime target in the start.
There is one more thing to add, it modify all valid HTTP responses, add