Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while.
There is also a few things worth looking in to here, the script mentions fx29shell.php. Which is a php shell that can be loaded onto the system.
I can do all kinds of nasty to your web server, you can download the /etc/passwd for a start. Not good if you find this on your system, might be a good time to do some google searches against your domain (while we are talking about it).
So after all of this it looks likes capser.(pl|txt) is the main thing doing all of the work. As you can tell with all of the variables.
$admin = "XXXXX"; $serverircs = array("irc.xxxxx.xxx"); $serverirc = $serverircs[rand(0,count($serverircs) - 1)]; $urldata = "http://xxxxxxx/xxxxxxx/casper/"; $injektor = "sh.txt"; $defacer = "def.txt"; $filepsy = "psy.tar.gz"; $portpsy = "6667"; $fileggdrop = "eggdrop.tar.gz"; $filebotphp = "bot.txt"; $crbots = 2; $filebotperl = "iso.txt"; $filebotscan = "scan.txt";
In the next section we will do a closer look at casper now that we poked around a bit.