As I said before...
What I'm really worried about is that 2 of the 7 hacked servers had almost no installed services and no other users.
(No Email or FTP service installed.)
That points the vulnerability (if there is one) to either Debian/Ubuntu LAMP or ISPConfig.
Either way it's not good.
We are still working on weather it was a weak password or a vulnerability.
What's worse is that it looks like a 'script kiddie' type of hack. They were not too clever in covering their tracks.
Missing cron jobs and history are pretty obvious clues.
If this is a vulnerability it means that this vulnerability is easily available.
Last edited by SamTzu; 2nd March 2010 at 08:50.