We had a customer that had a server hacked with a phishing site created on one of their web servers. It appeared to be an automated attack which leveraged a vulnerability on wordpress. From there they were able to install several other files on the server. It was stopped before they could do anything else but we found other vulnerabilities which would have allowed them to gain access to most of the network.
This was on a linux server and they didn’t even need root to do this. It was all done through application software which hadn’t been properly patched.
“... It was all done through application software which hadn’t been properly patched.”
That’s always the killer, if you don’t keep up with the security patches you’re dead meat.