it seems not the server is hacked but the script running in those domains.
Some scripts are really badly written and can be exploited easily by appending for instance some string in the url.
Even joomla official website was hacked not too long ago, just to say if someone really sets their mind to it, no script is absolutely safe.
Look into the scripts running in those two domains and see what happened to it and check their documentation/forum for bugs and such.
As Ronald explained, you’ve got insecure scripts running. You may have other security problems, but the evidence definitely points to insecure scripts. Update the applications that allowed their index.php to be changed–if there is no update that fixes the security issues that allowed someone in, then you’ll need to find a replacement application.
You can also improve the security of your system by switching to running all applications under suexec. I’ve discussed setting this up for Virtualmin GPL several times here in the forums (and it’s mostly automatic under Virtualmin Professional). You do need an Apache package that has had suexec recompiled with docroot set to /home, however, and we don’t provide one for Virtualmin GPL on Fedora (we do provide them for Fedora on Professional, and we provide them for CentOS on GPL…but we try to discourage folks from running Fedora on servers, as the lifecyle is just too short…stability of some applications can also be a problem on Fedora, as it is effectively the public beta of RHEL).