rm -rf phpshell.php^__________^ was this the exploited hole ?I think so. In fact the problem is that it got there...
probably uploaded somehow... a upload-form, some web-script maybe? check php permissions i'd say. where was enr php-file located? do you know? good luck, Jst.