There are three million servers hacked and owned in the world, according to "scientific and anecdotal evidence" by new kid on the security block Trustcorps.

By hacked and owned, it means someone out there has a back route into the server and so can effectively do what they want - delete files, move them around, store illegal software or force the server to send millions of data packets to one particular server in a denial-of-service attack.

Trustcorps breaks it down like this: An average hacker owns 600 to 800 systems at any point in time. On average, they will own those systems for six months at a time. There are at least 1000 hacker groups, with an average of five hackers. Hence 5x1000x600 = 3 million.

The "at least" 1000 groups and 600 "to 800" systems comments suggest that the real figure is in fact much higher. Say, 1200 groups and 800 computers each - that's an incredible 4.8 million owned computers.

Is this just the usual over-the-top fear-inducing information we see all the time in security issues? Well, Trustcorps hasn't issued the usual "you will all die - unless you buy our product" warning. However, it only started up at the end of last year so it is trying to make a name for itself.

We ask Trustcorps CEO Nick Ray if he is scaremongering. "Absolutely, there is an element of scaremongering here, but then there is good reason to be scared."

Nick tells us that the figure for total owned machines was initially inspired by the number of new clients that came to them asking about files and security holes that had popped up after they had installed the company's software.

"We have a compromise detection suite that finds hidden files, hidden ports etcetera. And we have had an alarming number of companies that ran it and then come to us with compromised systems - but with no evidence of anything malicious having been done."

It seemed that there were large numbers of compromised systems out there but which weren't abused in anyway, so the actual owners remained unaware. Why? Nick Ray blames it on automated hacking software that does port scans and if it finds a hole, installs a bit of code and reports back the hacker.

"A hacker can wake up in the morning, set an autorouter going and at the end of the day have a list of a couple of hundred compromised servers. He can then go through them at his leisure and see if he has hacked any big systems - companies he knows or companies that have large bandwidth or storage systems."

This assertion is certainly backed up by real world examples and seems plausible. Nick Ray speaks of clients that have found gigabytes of ripped MP3 files on their servers - stored there by someone who doesn't want the RIAA threatening to sue him. Or ripped DVD films - where a company's bandwidth makes the ripping easier, faster and safer than through an individual's own broadband connection.

As for automated port scanning and hacking tools - anyone who has sat in front of a firewall watching all the attempts made to access your system, even if it's invisible to the outer world, can contest to the fact that there is a lot of random scanning going on.

Ray says that clients who are unknowingly hacked tend to be people who think they have nothing of value, no credit card details or fast pipes, so they don't concern themselves with security. But because new automated hacking tools are random, they are randomly hacked. Although the hacker may not use the system, he doesn't remove backdoor into the system in case it comes in handy later.

Of course, it is also likely to be these companies that Ray and his company Trustcorps are chasing for business, so, as ever, take everything you hear with a pinch of salt.