Quote:use a security whole in a php- (or cgi)-app of one customer, upload a custom cgi, change the php.ini (if you want to continue with php)... etc
Hacking a website will give you access as the corresponding vuXXXX user (and you don't need to change the domain's php.ini for that). Anyway, vuXXXX users doesn't have access to the control panel (neither as reseller nor as user). Hence, hacking a website is not an attack vector to obtain admin/reseller credentials...
Quote:The server (kernel) was updated to the last stable versions of packets. I had installed & configured fail2ban, logwatch, blocked ports by iptables. I don't send my passwords by email and never published whole internet and my local machine. I don't know how he get the password to the reseller account.
I must insist that a reseller should not be able to run commands as root. Therefore, along with the reseller password stealing, the attacker *must* have used another attack to obtain root privileges (if he/she really obtained root privileges at all).
I'm starting to suspect that the server logs weren't really destroyed. It simply makes no sense at all for the attacker to spend so many time changing ftp account's passwords to replace the website's files if he had root access. Hence, I think that by "logfiles were destroyed" you are referring to the USER logfiles (those stored in /var/www/virtual/domain.com/logs) instead of the MACHINE logfiles (those in /var/log).