The Cisco blog post has been updated to change a key finding Ars reported in the following post. Contrary to Cisco's earlier reporting, the update says not all the servers compromised in the attack were running Linux version 2.6. "We have not identified the initial exploit vector for the stage zero URIs," the update stated.
"It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback."