A glaring error caused the privilege-escalation vulnerability in cPanel. Because of the order in which the program searched for a specific database script, an attacker with access to the home directory of any user or Web site on the server could place a special file in the directory and the program would execute that file first. The commands would be run at the highest level of privilege, or root.

"They (the attackers) have to have a regular user account on the server," said Dan Muey, one of cPanel's core developers. "There is a module--it goes through a list of directories looking for the module. They would put a module in the home directory, and it would run the module first."

The attack basically turns access to a single Web site on a server into a beachhead from which all the other Web sites can be compromised. Mass attacks are typically a tactic used by Web-site defacers to exponentially increase the number of sites they tag with their digital version of graffiti. There typically has not been a significant upside for hitting a large number of Web sites with a known exploit. Yet, the focus on exploits that attack vulnerabilities in Web browsers, and in particular Internet Explorer, has made mass attacks much more valuable as a way to infect a greater number of Web surfers.

The attacks escalated an already serious issue for Microsoft Windows users. Last week, the software giant confirmed reports that attacks were exploiting an unpatched flaw in its flagship browser, Internet Explorer. While the company is rushing to test a patch for the problem, a group of third-party researchers have already released a fix for the issue. Microsoft does not advise its customers to install the unsupported patch, however.

The software giant declined to comment for this article, but it public relations firm pointed to an entry on the company's security response blog as its latest statement on the issue. The message, posted on Friday, stated that it hadn't seen any attacks widely trying to exploit the issue.

"Attacks remain limited," Scott Deacon, operations manager for Microsoft's security response center, said on the company's response blog. "There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either. Of course, that could change at any moment."

Indeed, it may already have changed.

HostGator's Oxley points to the latest Internet Explorer flaw, which occurs in a component which handle the Vector Markup Language (VML), as the security hole through which the malicious sites attempted to attack visitors. Oxley responded to a request for comment from SecurityFocus, asking for the interview to be conducted through e-mail, but then did not respond by Monday evening.

"We believe whoever did this was perfecting what they were about to launch and waiting for the right moment," Oxley said in a Sunday forum posting announcing that HostGator had resolved the security issue. "They chose a few days ago to launch it in full force to exploit Microsoft's newly announced VML exploit."

By early Sunday morning, the company had cleaned off its customers' servers and Oxley warned other hosting providers to do the same.

"All other hosting companies that haven't applied this patch are going to get it installed automatically tonight--many of them will remain exploited until they clean their boxes as we did," he said, adding that other companies need to look to their security as well.

"The person or group that did this is very intelligent, and obviously knows how to plan a big attack. While we are protected from this threat, we cannot predict what's to come for HostGator and the industry. Nobody can."