Well looking at their past history of hacks on Zone-h.com
you can see that all they do is deface the pages of the first one, then protest against the USA and Bush on the war. You can also see that if they root one ip of the entire machine, they just alter all the index.php files for every domain on that machine. A Simple Search on Google for TechTeaM Defacement will easily get you a few dozen sites that checked out how they did it. All were done with the OpenSSH flaw.
What they did was drop a nasty little php script called rox.php that could be called from a webrowser that could pretty much do anything. A screenshot I posted here, before I removed the evil php script.
Scary how much power that damn thing has.
It seems that they dropped the script prior to Dreamhost updating the security files. I remember a few months back we were under DoS attack. I’m guessing that’s their zombied bots executing their attacks on all the ip’s that are hosted which dropped these php files. From there maybe it’s just manually going through each site to the rox.php script (or whatever they named it to) to deface the page.
Fortunately I have a webservice that checks to see if my website appears on defacement websites, and it notified me immediately when it appeared. From there, I just did some investingating, got rid of the malevolent file, and uploaded my backup.
Pretty damn annoying, although I’m glad they didn’t really destroy data.