I should probably clarify a few things about the hacked servers.
On (or about) August 24th, my shell account was compromised.
This was most likely due to using a compromised Windows system (wth a
keyboard logger) or a Trojaned version of
ssh program freely available for Windows). Not much you can do
except attempt to minimize the damage. Mark and I do have differences of
opinion on how to handle cracking attacks (I tend to be optimistic about
such things; Mark isn't) which caused most of the problems we've had (and
still have, by the way). Since the server was Mark's he felt it best for
everybody on the server to move their sites elsewhere and take the server
down (I now suspect it'll never go back up).
I found no evidance that the machine had been compromised, but Mark thought otherwise. So I moved my sites off to one of the servers I administrate (the ones I had problems with Russian hackers doing denial of service attacks against).
A bit of background on this set of servers. I was hired to administrate four servers—two in Boca Raton (the same facility as Mark's server) and two down in Miami (at the Nap of the Americas). One of the Boca servers had hardware problems so it was decomissioned. Over the past few months I've backed up the sites across each server so that if one goes down, the remaining ones can take over (not automatically, but easily enough). Durring Hurricane Frances' advance towards us, one of the Miami servers crashed. The decision was made to leave it down there until after Hurricane Frances and have the other Miami server pick up the slack (easy enough to do). At the time we weren't certain why the machine crashed, but it did (later on, it was theorized that it crashed during a “test run” of taking the machine down).
The server I moved my sites to was the other Miami server, as I felt that stood a better chance of weathering Hurricane Frances.
On September 8th, the Boca server was compromised.
I honestly feel that the Boca server compromised had nothing to do with Mark's server being compromised. All the websites on the Boca server were deleted, and everything pointed to a single page, giving a shout out to a known person that worked with (or for) the company who had the majority of sites on the Boca server. Also, the Boca server had a certain class of sites on them, one where the updating of the sites was under less control than previously realized (at least by me). And given some evidence (found later on one of the other servers) it appears that the cracker in question had the actual log in information for some of the sites (about half a dozen, and none of them my account) so it points to some form of inside job (again, not much you can do in that case, other than preventing other sites from being wiped out, but this was all found out after the case).
Things were still in place from our preparations for Hurricane Frances (to switch the sites to one or the other server in case of power loss) so I simply enabled the deleted websites on the Miami server, and went in to the Boca facility to retrieve the now dead server. It was during this time that the Miami server was compromised and all the sites (every last site) were deleted.
Later on, I found out that the attacks were timed for the start of the NFL season which is important since the company who has the majority of sites is a gambling/gaming company and the start of the NFL season is an important time of year.
Now, can I say for sure that the compromise of Mark's server was unrelated to the compromised of the other servers? No. Not 100%. Is it likely they're unrelated? Yes. At least in my opinion.
But in the meantime, the servers have been reconfigured and partitioned off with the hope that such an attack will have a less chance of success. The number of accounts has been drastically reduced and of the accounts remaining, the passwords have been changed. The servers are now running the latest version of everything. Will these servers be compromised again? There's always a chance. But hopefully, with some of the changes put in, the damage will be severely limited in scope.
I'm optimistic about that.