Thank you Arieh, that gave me some more piece of mind, also because I read it could be seen as php malware running in a user environment. In that case root is out of the question, because we run mod_ruid, so php only runs as the user in their accounts.
@ikkeben: Yes that's what I was thinking about too, but this kind of stuff will get in the open anyway if it's that easy. And he removed the hooks so also the scriptkiddies wil have to figure that out for themselves.
Things abused from or via inside persons is also possible, not only with this, so I don't worry about that. Persons working for you on security level is always something to keep in mind.