It appears the JAA phone version server was hacked. I expected it would happen at some stage, because it has open ports and other vulnerabilities to function correctly – like any server connected to the internet (especially a windows server). It is not a big problem though because the software itself is encrypted, and can’t be decrypted without physical access to the hardware. Also it is isolated from other servers on the network.
At this stage I’m not sure what the purpose of the hack was. It was probably a random attack. I changed the server in case I missed anything. The migration only took about 15 mins, so the server was only briefly down.
I compared user data to backups, and it doesn’t appear user data and wheel profiles were touched. I’ll see what can be done to prevent it happening again, but even if it does, it wont be a big problem because of its isolated environment and easy restoration.