I Agree with the point about vector of attack.
On my side all affected sites are "compromissed" on 13th May, with some details and some traces back to 05th may.
As explained before I digg on all affected servers and seems bruteforce over ftp (not so brute) as std pwds are easy to gess, affected users don't changed the passwords, or used as usual dictionary pwds.
I can't locate other traces and servers still have trip-wire and etc, with double chek daily and don't identify any binary changed.
Ok, I understand the point about up-to date versions but the only affected domains have Proftpd enabled, the other domain with NO local web hosting don't have any traces.
All administrative passwords are OK, all email passwords are OK.
Personally to me seems problem with ProFTPd.
My actual concern is:
Ok what is the best way to "mass clean" compromissed files / domains to proceed to full fresh server deploy and use PPM on clean data, as there is no sense on fresh server deploy with no 100% data.
If some one can help with this point too
Jr