I received an email from Scotia Bank this weekend alerting me to the fact that I had a Phishing page hosted on my server. How much does that suck? I quickly removed the page, then while I was searching around the server looking for how it got there, the damn thing re-appeared. I deleted the bastard again, and quickly found the culprit.
It seems one of the sites on my server had a default password for the admin section of an image gallery. This allowed someone the bastages to upload a shell script (pictured below) to the server. From this script they were able to upload any files they wanted.
I quickly locked down removed the admin and did a search for *.php files on the server. I only found a couple others that were obviously suspect: ro.php, sh3ll.php. I am pretty sure I have found them all, but I will be keeping a close eye on the server.
I went back to the url after a bit, just to make sure the files had not re-appeared and Firefox popped up a warning about Phishing! It didn’t take long for that url to get reported. Bastards.. grrrrr.
