Check your server access logs. My guess is that one (or more) of your cgi programs is not secure, allowing someone sneaky to upload a file into /tmp. You should be able to match up the date/time of the file and access to your CGI or possibly some other web component you're hosting, to find the insecure code. There is no entity/IP signature on a file. Btw the comment block lists some "hacker" aliases. odix is the signature but it could be absolutely anyone.
the hardest line to type correctly is: stty erase ^H