Over the weekend our (dedicated) server was compromised.
The result was an unauthorised PERL process listening on port 80.
The instant effect of this was our Host, UKFast closed off the server to protect us, but of course this meant all our sites were unavailable.
It was about 12 hours over Saturday night before they managed to contact us and obtain our agreement on the next course of action (my fault as I was ''off the grid' and unobtainable.)

Their opinion is that one of the customer data input fields was used as a method of installing some code to open the port.

Out of the 5 sites on the server, only one is currently in V11 and so has the Contact Us page Captcha
UKFast have not been able to identify which site was used to make the compromise, so far.

Can anyone provide any advice on this?
Are the customer data input fields protected/cleaned to prevent this kind of attack?
If not, is there anything we can do to protect ourselves?

I must say, UKFast were brilliant, spending a good half an hour discussing the precise details and offering advice and assistance.