after reviewed the post http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=5310&forum=21
I applied the newest patch immedieatly to the 2 production server and 1 dev server at 1and1.
also, I'd changed the permission of /var/www/vhcs2/gui/admin/change_password.php, as I'm not likely to change my password everyday, I'd changed it to 000 so no one can execute it.