One of my blogs was hacked into. Fortunately, it was still in the process of being setup, and there wasn't really anything there. The hacker was able to alter the output files -- the main index file itself, but did not seem able to get into the mt interface. It seems like all my permissions were setup according to the instructions. I had trashed mt-load.cgi as instructed. Are there any known security holes in Movable Type? Aside from setting my permissions according to the instructions, are there any other measures I should/could be taking?

Hm. Interesting that your thread and this thread should appear simultaneously - perhaps some of Kristine's comments might be helpful to you even though the other person had a different experience.

The one and only time my host's servers were hacked (that I know of), the problem was just as you describe - they overwrote my main index, and a rebuild restored everything to the pre-hack state. If that's what happened, I would be concerned, but not overly so - overwriting the index file is a possibility, but it's not a vulnerability, just something that could happen to any site, MT powered or not. MT actually has measures in place to prevent visitors from entering code in your comment fields, for example, that would cause scripts to execute - that would be a vulnerability in the software.

I hope this helps -

Donna

Do you see any logins in your activity log that would show someone else logging in to MT as you? It's possible that someone was able to hack your account on the server level, not at MT, and delete your files that way. As Kristine said, even if you delete posts, templates, etc in MT, they aren't deleted on the server--so that would imply that someone actually deleted the files directly from your hosting account (not from within MT).