not apache module
"she noticed two modules - one called mod_bwlimited and the other enable_dl - in the Apache webserver that were responsible for transmitting the randomized malware onto end users' machines"
enable_dl doesn't seem to be an apache module - rather a configuration setting in php (deprecated in php5). See here http://uk2.php.net/manual/en/ref.info.php#ini.enable-dl. It allows dynamic loading of php modules in apache servers.
if these TWO settings are always associated with compromised servers then it suggests that php is involved in the compromise
Biting the hand that feeds IT
