People need to be aware of what some of these hackers did and check their directories VERY carefully. To be honest, I'd check even if you didn't have any visible signs of hacking, as different hackers were doing different things and it is possible that the more discreet (and dangerous) ones could have been on your server.

1. Phishing sites - I had a number of scam sites uploaded, namely attempts to grab AOL customers' credit card data. Look deep in every directory for anything suspicious. They used a file called aol.zip, but created many subdirectories to hide it.

2. r57 and c99 scripts - these were hidden in various places. I don't need to tell you guys what these can do.

3. Google Adsense code - some of mine was amended in order to steer payment to their accounts.

4. mySQL database dumps. Not much you can do if this has happened, but change all admin passwords at least.

5. IRC scripts - found a couple of these running. Again, look deep.

My ISP and I have spent all week looking for these. I still worry that we may have missed some. As I have my own dedicated server, every site on it was mine and every site got turned over.

Worst of all, I'm getting billed by my ISP for their time :(

It's possible that anyone else could have had different hackers doing different things. The exploitation was well publicised and they worked very quickly.

Well done to the Vivvo guys for getting the patch out quickly.

Great post, Elton! Thx for sharing this with others :)

Just realised one thing that I forgot.

All of my mySQL databases were compromised, which was done by reading conf.php for Vivvo, and whatever conf files the others used (config.php, config.php.inc, etc).

Change them all!