It was not mine. It was also removed. I assume it was uploaded via a file upload page which my site supports... perhaps moved from the tmp directory and executed? That's the part of the hack I have not been able to figure out. The var/www/html dir is only writable to root as far as I can tell... and no access via ssh/ftp was shown in the logs. If they had root access, why would they go through the trouble to make a php file to execute commands through... Anyways, I'm not sure how the test2 file was created.