About one month ago one of our servers was root hacked. The hacker replaced all index files on the main drive and the backup drive which was mounted writeable at the time since it was updating. Since there was no remote backup (now we have one) these index files were all lost. You can imagine the kind of mess this caused. Over 500 emails. About ten good long term customers lost.
Now about the same time the official PHP server was root hacked. It is the server that contains the PHP source code. Had the hacker secretly modified code probably nobody would have noticed. Imagine that...any machine updating PHP after that would have been compromised. See: http://news.softpedia.com/news/PHP-n...d-190664.shtml
Now a few days later we can read that the Wordpress server was root hacked, too. Same issue here. Had the hacker secretly replaced source code we would all have downloaded it without noticing thinking we just downloaded a safe new version of wordpress: http://en.blog.wordpress.com/2011/04/13/security/
This makes me wonder what is wrong. I mean our server was administrated properly with grsec, mod_security, SuPHP, SuExec, compilers off, APF firewall, rkhunter, restricted SSH access via IP tables, brute force protection, regularly changed root password, fully updated OS and Cpanel and so forth. And I bet the PHP and Wordpress server were administrated well, too.
Could it be that there is currently a kernel issue that is just not yet known ? Because I can see servers getting hacked left and right right now. One of the things I did after the attack was to host remote backups in different datacenters but I find it quite concerning that us, PHP and Wordpress were all hacked within one month. Something looks like it's really messed up.