For a little background, here is my previous post - http://forums.digitalpoint.com/showthread.php?t=806469 All seems to be well, after my web host fixed some Apache "permissions" issues. Then, the day before yesterday, I found out that another site of mine had also been hacked, on April 16. The first hack discussed above was by the Turkish guy. This new hack was by lankasri, from an Indian IP. This second time, they uploaded 1,627 files into my /auth/files/, turning my web site into a zombie server for them. I was looking through my AW Stats, and I noticed the keyword lankasri. Then I searched Google, and I found the files. Google HAD INDEXED them!!! I contacted my host, and once again it was an Apache "permissions" issue. My host has fixed the issue, and deleted the files, along with reporting them to . Check your Apache permissions. I am told that there are people who spend a lot of time trying to write their bogus files into thousands of Apache servers. Apparently, they are successful many times. Your permissions can get changed by various actions, even though you yourself DID NOTHING! Look for huge jumps in your /auth folder. They added 117MB of files to my site, which more than doubled my total MB count. Each file renders an ugly yellow "Not Found" page, but if you view the page source, it is full of cr@p, including pron links. I will be looking for this stuff every day, from now on.
Are you sites getting infected through your scripts or another users? Do you have open_basedir set by the host, as if you don't any 777 folders can be written to by another user (within reason). Jay