I’ve found that more and more Trojans/worms/viruses/hackers are using ARP spoofing to inject miscellaneous code into Web pages. They’re able to do this using the following technique:
1)     An attacker scans a subnet, finds a vulnerable host, and hacks into it.
2)     The attacker installs a Trojan on the victim’s host.
3)     The Trojan sends spoofed ARP packets to gateways and other computers on the same subnet.
4)     When the other hosts on the subnet receive the spoofed ARP packets, they begin routing traffic through the victim’s host.
Here is a diagram depicting the network before ARP spoofing:
[gateway] <-> [host]
Here is a diagram depicting the network after ARP spoofing:
[gateway] <-> [victim’s host] <-> [host]
5)     The Trojan software installed on the victim’s host relays traffic to/from hosts on the subnet and inserts malicious code into HTTP responses. The malicious code injected into HTTP responses is designed to exploit Internet Explorer and to download and install Trojan software. The installed Trojan software might repeat the same process, further penetrating the network.

So, although your Web server may not have been hacked, your users might still fall victim to browser-based attacks carried out by the injection of malicious code via ARP spoofing. The best way to protect against this is to configure static ARP table entries for gateway devices on all hosts. I recommend that all network and server administrators do this.