Thanks for the suggestions. I'll respond as well as I can.

First, you're using some terms that I don't know (DNS poisoning, back shells), so not everything you said is clear to me. I can look those up, but I have little time right now, so I have to respond first.

You're assuming I have complete access to the server. Unfortunately, I don't. It's a shared server, and it's locked down pretty tight, at least as far as letting me do things I legitimately want to do is concerned. I don't even have shell access, although I've figured out how to get it through a back door. I certainly don't have root access or superuser status, so a lot of the things you suggested are probably impossible.

(A word on the shared access thing... it was chosen before I was on board, as was the host. With this host we don't have a choice except to get a dedicated server and take complete responsibility for the system's operation. We're not equipped to do that, and so far changing hosts has been too big a step. This incident has us talking about it, though.)

All I know about the system is what phpinfo tells me: it's Linux. Maybe the rest of the goggledygook will tell you more: "System" is "Linux p3nlh270.shr.prod.phx3.secureserver.net 2.6.18-274.7.1.el5PAE #1 SMP Thu Oct 20 17:03:59 EDT 2011 i686," and "Build Date" is "Aug 26 2010 08:49:13."

I'll try to do more investigation later today. I have very little time during the week, though, so it may take me longer.