Some months before ordered VPS at Ramnode

According to tutorial (ZPanelCP on CentOS 6.4) http://www.zvps.co.uk/zpanelcp/centos-6 Installed CentOS and ZPanel)

Today received email

We are requesting that you secure and investigate the phishing website identified below.
This URL has been identified as a phishing site and is currently involved in identity theft activities.
URL: hxxp://111.11.111.111/www.connet-itunes.fr/iTunesConnect.woasp/ //IP is modified (not real)
This site is being used to display false or spoofed content in an apparent effort to steal personal and financial information. This matter is URGENT.
We believe that individuals are being falsely directed to this page and may be persuaded into divulging personal information to a criminal, if the content is not immediately disabled.

Trying to understand. Some hacker hacked VPS, placed some file (?) with content that redirects to www.connet-itunes.fr/iTunesConnect.woasp?

Then questions

1) how can I find the file? Where it may be located? url is URL: hxxp://111.11.111.111/ IP address, not domain name

2) What to do to protect VPS (with CentOS)? Any tutorial? Where may be security problem?

I mean may be someone faced something similar....