fLfTPWqT.war, HjnZlFSg.war, sRLNRtow.war
I believe the entry point was an unsecured copy of xampp. If you browsed to the IP address of the server, you would be presented with an xampp login dialog. The xampp username and password had not been changed since the original install, so I am assuming this is how the war files were installed.
I removed the web apps and fixed the vulnerability in the xampp install. I didn't notice anything else wrong with the server, but I guess time will tell.
I was curious what the installed web app's functionality was, so I installed it on a testing machine at the office. It's actually a pretty cool app, but of course, quite dangerous to have running on a production machine somewhere. It's pretty much a file manipulation app - browse files/directories, download/upload, delete, copy, rename, move and launch external programs.
Here is a screenshot:
|JSP RAT screenshot|
Additional relevant information can be found here: http://grokbase.com/t/tomcat/users/12bv3sbkpy/malware-found-the-tomcat-6-0-29