hijacked server?

[valkira]

Today I've received two emails from lfd stating:

Subject: lfd on xxxxxx.xxxxxx.tld: Account modification alert
=====================================================
Time: Mon Feb 23 04:02:20 2009 +0100

Reported Modifications:

Account [root] password has changed
=====================================================

Subject:lfd on xxxxxx.xxxxxx.tld: SSH login alert for user root from 94.75.224.3 (EU/-/hosted-by.leaseweb.com)
=====================================================
Time: Mon Feb 23 04:02:29 2009 +0100
IP: 94.75.224.3 (EU/-/hosted-by.leaseweb.com)
Account: root
Method: password authentication
=====================================================

I'm quite happy that I left screen running on the server, so that I could change back the root password, delete the new account (Reported by lfd - New account [plesk-root] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/sh]) and take a look at the damage:

- syslog was stopped
- nothing in /var/log
- exim not running


Any one else had this? a friend of mine had 3 servers with this same issue...

[rhenderson]

So how did they get in, in the first place to be able to change the root password?