Credit for finding it goes to wrtl, credit for fixing to Luke.
Some more notes on "how to spot you've ben pwnd", the impatient can jump to the conclusions:
Real haxor skills are required to use this attack in a way that a) isn't traceable back to you and b) is unnoticed by the victim.
First, you want to work around a). If you set up a server with a malicious MAP_FILE, you've just given the good guys an IP to send to the authorities. So you need to inject the MAP_FILE into a server or a client without giving away your IP: you need to spoof the packet source. We're not using encryption to secure client-server connection, so you have a chance of sending a packet to the client that appears to come from the server and vice versa. You need to know the client's IP for that, a master server browser ping harvester (like I was running for some days) can get you a preselection. You need to guess the port the client is using. All these are not terribly hard problems, but each one, apart from source IP spoofing and port guessing, isn't available to a skript kiddie.
What you get: a way to modify MAP_FILE on every client currently playing, and a way to modify MAP_FILE on servers where an ingame admin is currently logged in. In each variant, there are witnesses, and you need to hide what you're doing from them. Which leads us to problem b.
Your MAP_FILE injection must not trigger an immediate error. So, it must be a valid map file along with doing the evil you want it to do. Unfortunately, our forward map file compatibility helps here: the map parser ignores everything it does not understand, so all valid XML files that contain a map are accepted. You need to create such an XML file that looks like the map played on the server.
And you need to piggy back your harmful whatever to it. This is the tough part; the two attack possibilities I mentioned, injecting an autostart entry or .ssh/authorized_keys probably won't work as non-XML files are expected here, at least on the systems I know. Also, .ssh usually is a write protected directory (on sensible setups). I guess it takes quite a lot of ingenuity to work around the problems here.
The two hack attackers we saw up to now (and I remember now) weren't even smart enough to mask their IP address for regular DOS attacks. Well, or they were and we banned the wrong guys
I don't think any of our regular evildoers would be able to do a full stealth attack.
On top of that, what you get from the attack directly is only the rights of the user that runs the game. On a default Unix server setup, that's a special user created only for that purpose. So unless there was an unpatched rights escalation bug at the time of the attack, the Unix systems running servers were safe. The server running user is created without a home directory and can't create one on his own, it has only writing rights to the AA configuration directories. The most the attacker can do is mess with your game server's settings, AFAIK there is no way to get you to execute arbitrary code by dropping something into one of our directories. Luckily, we don't have a shell command execution console command.
If you run your server as root, of course, you're doomed.
There still may have been stupid non-stealth attacks on clients. They'd be noticeable by map load failure errors. The distinguishing features of an attack rather than a normal configuration error: there would have been no mention of "404: file not found", but rather a map validation failure error.
: Unix servers running the default configuration via the init scripts under a user ID without home directory (for the .ssh attack) and without published ways to get shell commands to execute by dropping a file somewhere were safe.
Servers without ingame admins were safe.
Clients that never saw an odd map error message without "file not found" probably haven't been attacked. Errors on well respected servers accessed via a bookmark, like Lucifer's maze, wrtl's or iF's race, or wejp's planet servers were probably harmless as well.
Possible, of course, still is everything. But usually, there are better know and easier ways to break into your machine than this attack.