They have a list showing 26 hosts on that IP that were defaced. Randomly checked four of them (which are fixed now), all WordPress. But then #5 looked like a static HTML site (http://outrightoriginal.com/), so I'm going to go with server compromise, not CMS compromise.