I still don't know how they can do, but they do.
Someone can write a file index.html on my webspace probably because of some vulnerability.
I applied patches 004 and 006, i will also try the others but don't know if it will be useful, because the hacker also cracked XS1.
Then I update to the latest XS2 version (058) but the problem remains.
Do you know about this: http://secunia.com/advisories/21841
Bye and thanks for any suggestion.
p.s.: I exclude ftp password bruteforcing.