Weird set of shell commands in root's .bash_history

Interesting, indeed.

I've never seen this thing before, but looking at the suhosin14.sh script, it is evil. It modifies all the php.ini files it can find on the system, hoping to cause PHP to prepend some code on-the-fly into every PHP web page rendered (via auto_prepend_file). suhosin14.sh also downloads and installs a pair of SUID-root modules, presumably to get its prepended PHP code to run with root privileges.

The prepended PHP script (suhosin.php) contains a comment header that makes it claim to be part of the Suhosin security patch for PHP, but it is certainly not. Instead, the script watches for particular HTTP POST requests containing XOR-obfuscated commands, which it then de-obfuscates and runs (presumably with root privileges, thanks to the SUID-root modules).

If this thing was run on your system, then it is likely rooted. Undoing what the suhosin14.sh installer has done [specifically: remove the PHP prepend-script suhosin.php, remove the SUID-root modules suhosin32.so and suhosin64.so, and restore your original php.ini file(s)] is probably not enough to ensure safety, since someone had to have gained root access to successfully run the installer in the first place. Furthermore, subsequent commands sent remotely via the PHP prepend-script could have easily installed any number of rootkits or other backdoors.

Not much else I can suggest, except maybe to check your Apache logs for POST requests to pages that normally shouldn't get POST requests: those are likely instances of remote commands sent to your system. Unfortunately, the logs won't tell you what commands were executed, but you might get some other useful info, like IP addresses and timestamps.