buggerit: However, the admin login had not been accessed for a long time which I immediately checked, so it was unlikely to be through the administrator backend using the default admin login (which I will be removing from now on though!).
I also reviewed the raw logs files and could not find any suspicious POST activity. Maybe Orcon will be able to review the logs for each hacked site on their server and identify the pattern?
I just don't believe it's a CMS issue. It is most of the time I agree. But for a whole lot of sites on one server maybe having an FTP account or admin backend account and password all hacked within days of each other seems strange.
any hacker worth his/her weight would/should delete or fake the logs to hide their activity :P