could be weak perms - I had my images dir switched to 777 to test something
and forgot to switch it back... had some new & special files in there in
under 48 hours. was a fairly harmless hack.

but just sticking an iFrame element on a site with src= pointing to the
box 'O sploits is quite straight forward. I'd think the server portion of
this attack is XSS against some inherently weak add-on like Xoops or
unpatched WordPress etc.