It looks like someone has uploaded a malicious home.php -- either an attacker who has found a security vulnerability on the machine (in Phabricator, or in some other service), or possibly a legitimate user of the machine.

Since the install doesn't have any auth providers configured and the file is not in a location associated with uploads or other services, I suspect this isn't a vulnerability in Phabricator, although it's hard to be sure. I also can't find any other instances of this attack in connection with a Phabricator instance, but there are plenty of them in general (e.g., in connection with Wordpress instances, it looks like) -- for example:

https://www.google.com/#q=%2299+Viagra+Free+Consultations+Now%22

Because the attacker has compromised numerous machines which don't have Phabricator on them and I can not find any other compromised Phabricator installs, my guess is that the attacker exploited a vulnerability in some other software running on the machine, not in Phabricator. But there's no real way to be sure, especially without access to logs on the host.

I think all we could do is reach out them and be like "hey, we noticed this machine is compromised, you should probably clean it up / take it down / etc; if you have any evidence that the attack happened through Phabricator we'd be happy to try to figure out what was exploited and how to fix it". I'm not sure if we should do this or not. It feels like it might be a kind of weird overreach on our part to me?