The attacker uploaded a shell script to /var/www/webmail/tmp/
I have no idea how it is done, does webmail has flaw?

Who is the 'owner' of the script in the tmp folder? Is it 'apache'? If it is, then most likely some script on your server was exploited. Check to see if you have the latest versions of phpMyAdmin, Mambo, Joomla, Coppermine, Webcalendar, Awstats, Horde etc. etc.

If the owner of the script is 'root' (or maybe some other user) then you may have a bigger problem.

You may also find some additional useful tips on protecting your server here: http://www.directadmin.com/forum/showthread.php?s=&threadid=13023

You may also want to search this forum, there are several threads titled "Help, my server was hacked' (or similar) and several of them contain tips on protecting your server.

Thanks, is there any server management company specialize in securing and optimizing directadmin servers? I think i'll need such company take a look at my server.

Feel free to email me at support@hostpc.com.

We can help you with this today if necessary.