Well, I woke up this morning and found this email waiting for me in my inbox (forwarded from my host): --------------------------------------------------------------- [XXXX] AOL Reporting Abuse - Password Solicitation Date: Tue Dec 27 23:15:41 2005 From: AOL OpsSec Countermeasures <antiphishing@aol.net> To: , , Hello, The URL stated in this report has been investigated and found to contain a Phishing site. Please inspect this url and take the required action to disable this site at your earliest convenience. http://XXXX.com/files/aolcard/?JbQq...TDrferHCURstHbsYaNyApAisNRFD&login_access=109 Thank you for giving this matter your attention. AOL Operations Security Investigations & Countermeasures Ticket: [XXXXXX] ________________________________________________________________ It turns out someone had created a mock AOL page on my site asking for credit card info, passwords, etc. Anyway, we got the files deleted and hopefully straightened out. I have shared hosting will a big hosting company. My question is....should I be worried about this. Now that these people know that they can access the server..will they be back? Has anyone else had this happen to them? How do you go about ensuring that this doesnt happen again...or at least lessen the chance?
You need to change your password immediately. And contact your hosting company to find out what IP accessed your site. They might not be able to give it out but at least they can confirm it is not your IP. If it keeps happening, get another hosting company. I actually ran into a guy here in Denver, the same thing was happening to him. His website had been hacked at least twenty times
I changed all of my passwords to my control panel, db's, ftp, etc...and these guys were still getting in. It happened at least 15 times. I would delete the files and an hour later they would pop back up, all of them set with root permissions. So, I contacted my host and they absolutely refused to help me...other than to delete the files. So...I spent literally 24 hrs straight monitoring my logs and I finally figured out how these guys were getting in. On all my sites, I noticed these files were being called: /drupal/xmlrpc.php /phpgroupware/xmlrpc.php /wordpress/xmlrpc.php /blogs/xmlsrv/xmlrpc.php /blog/xmlsrv/xmlrpc.php /blog/xmlrpc.php /xmlrpc/xmlrpc.php /xmlrpc.php Well, on 9 of my 10 sites, these files were never present. Anyway, they were using this as a way to gain access. Theres more to it, but I dont want to post it here. So I just took my one site down that had this vulnerable file until I could update...and changed all folders that were chmod 777. These urls are still being called almost hourly, but they havent been able to get back in. http://vil.nai.com/vil/content/v_136821.htm#MethodOfInfection