I really need help - preventio of hacking

[samf]

Hi,

I have a dedi unix server with HostGator running WHM- Cpanel - and I am getting a nuisance hack. I have never experience dthis before and believe it must be because of a security breach in WHM - my passwords are relatively secure. Here is some command line stuff. The script installs itself in the images folder of the site, in a folder called bankofamerica.com -

drwxr-xr-x 3 cpm112 cpm112 4096 Sep 15 20:26 UpdatingScreen.dostate=CAupdating. cfmpage=corp_bofacom.BankofAmricaScreen.dostate=CA
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking]# cd U*
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate =CAupdating.cfmpage=corp_bofacom.BankofAmricaScree n.dostate=CA]# ls -l
total 116
-rw-r--r-- 1 cpm112 cpm112 44908 Sep 12 02:09 details.php
-rw-r--r-- 1 cpm112 cpm112 318 Jan 31 2006 Finish.php
-rw-r--r-- 1 cpm112 cpm112 1659 Sep 19 22:35 Gooodshot.php
drwxr-xr-x 2 cpm112 cpm112 4096 May 8 2008 images
-rw-r--r-- 1 cpm112 cpm112 372 Jan 6 2008 index.html
-rw-r--r-- 1 cpm112 cpm112 19910 Sep 12 04:08 login.php
-rw-r--r-- 1 cpm112 cpm112 10769 Jan 9 2009 passcode.php
-rw-r--r-- 1 cpm112 cpm112 13663 Jan 9 2009 question.php
-rw-r--r-- 1 cpm112 cpm112 7726 Sep 12 04:08 signon.php
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate =CAupdating.cfmpage=corp_bofacom.BankofAmricaScree n.dostate=CA]# vi Goodshot.php
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate =CAupdating.cfmpage=corp_bofacom.BankofAmricaScree n.dostate=CA]# vi Gooodshot.ph p
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate =CAupdating.cfmpage=corp_bofacom.BankofAmricaScree n.dostate=CA]# grep -R "mail\( " *
grep: Unmatched ( or \(
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate =CAupdating.cfmpage=corp_bofacom.BankofAmricaScree n.dostate=CA]# grep -R "mail/( " *
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1] .com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate =CAupdating.cfmpage=corp_bofacom.BankofAmricaScree n.dostate=CA]# grep -R "mail[( ]" *
Gooodshot.php:if(mail($send,$subject,$message,$hea ders) != false){
Gooodshot.php:mail($Send,$subject,$message,$header s);
[root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1].com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate=CAupdating.cfmpage=corp_bof acom.BankofAmricaScreen.dostate=CA]# [root@rel /home/cpm112/public_html/images/bankofamerica.com/www.bankofamerica[1].com/reputionbankofamerica.com/reputionOnline/BofABanking/UpdatingScreen.dostate=CAupdating.cfmpage=corp_bof acom.BankofAmricaScreen.dostate=CA]#


any tips on what to do and how could I do a monitor of all sites in the /home directory for the presence of these files/folders? If there is a routine that would check I can pipe it to a cron job and have it email me + delete.

Thanks in advance

[gsiva]

Its quite natural to have the hack issues in the web hosting environment. The potential root cause of the problem occurs to be with the FTP: Here below the link gives you the detailed result on it.


Solution For Iframe Java Script Hack - cPanel Forums