What does a security risk in a plugin look like?

My server was hacked this weekend. By the Russians! Of the 50+ domains on my server, every single one had a hacked .htaccess file which was redirecting search results and a few other things to a russian site.

I’m assuming that one of the many, many wordpress installs has a plugin with a security flaw.

Two questions:

1. Is it possible for a security hole in one plugin to allow someone access to other sites on the same server?
2. What would a security flaw look like that might give someone access to the .htaccess file a directory or two above?

It’s possible that the issue was someone else, that Dreamhost (my host) has bigger issues. But, I’m exploring the option that it’s my fault.

Thoughts?

Personal Opinion: I had the same thing with (mt) mediatemple twice last year. They told me/us that it was a wordpress issue, but it wasn’t. I heard the same from dreamhost last year. So: don’t think about it too much, just remove the hack and blame your host (again).

Anyway: You could read this thread. If your DB got “infected”: There’s also a link to the plugin I wrote to remove the inserted links from my database. Give it a try.