roundcube exploit to upload spam-bot through html2text

Binary package hint: roundcube

My Ubuntu 8.10 system has been hacked through roundcube 0.1.1 (from ubuntu repository)

this exploit is possibly solved in roundcube 0.2-beta, see http://www.roundcubeforum.net/news-announcements/3964-roundcube-news-security-update-0-2-beta.html#post16373 for more info

I can provide the following logs:

apache access log:
62.193.202.XX - - [12/Jan/2009:21:48:13 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 759 "-" "-"
62.193.202.XX - - [12/Jan/2009:21:48:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 180 "-" "-"
(these are the only two actions performed as can be found in my apache-log)

in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)

crontab -u www-data -l gives me:
* * * * * /var/tmp/.ICE-unix/.../.tmp/data/mysqld-lock >/dev/null 2>&1

and ls -l /var/tmp/.ICE-unix/.../.tmp/data/ gives me:
-rw-r--r-- 1 www-data www-data 71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data 4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data 33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data 178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data 359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data 244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data 6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data 21516 2008-01-20 16:42 xh

xh gets detected as HackTool.Linux.ProcHider.a Viruslist.com - HackTool.Linux.ProcHider.a
I guess mysqld is a virus as well, but it does not get detected (yet)

I can provide the virus itself as well... But will not send it publicly