Compromised Apache binaries load malicious code
Researchers at web security firm Sucuri have discovered modified binaries in the open source Apache web server. The binaries will load malicious code or other web content without any user interaction. Only files that were installed using the cPanel administration tool are currently thought to be affected. ESET says that several hundred web servers have been compromised.
The attack has been named Linux/Cdorked.A and is difficult to detect: As cPanel doesn't install the web server through common package managers such as RPM, the verification mechanisms of the package managers won't be any help.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump