Hi! I wonder how this could happen. Someone delete my index.php files from all my domains and puts his own index.php files with the next message:
Hacked by Z4i0n - Fatal Error - 2009
[Fatal Error Group Br]
Site desfigurado por Z4i0n
Somos: Elemento_pcx - s4r4d0 - Z4i0n - Belive
Gr33tz: W4n73d - M4v3rick - Observing - MLK - l3nd4 - Soul_Fly
2009
My domain has many subdomains, but only the subdomains that can be accessed with an specific user were hacked, the rest weren't affected.
I assumed that someone entered through SSH, because some of these subdomains are empty and Google doesn't know about them. But I checked the access log using the last command, but this didn't show any activity through SSH or FTP the day of the attack neither seven days before.
Does anybody has an idea? I already changed my passwords. What do you recommend me to do?
UPDATE
My website is hosted at Dreamhost. I suppose they have the latest patches installed. But, while I was looking how they entered to my server, I found weird things. In one of my subdomains, there were many scripts for execute commands on the server, upload files, send mass emails and display compromising information. These files had been created since last December!!
I have deleted those files and I'm looking for more malicious files.
Maybe the security hold is an old and forgotten PHP application. This application has a file upload form protected by a password system based on sessions. One of the malicious scripts was in the uploads directory. This doesn't seem like an SQL Injection attack.
Thanks for your help.