my site used for phishing

[rh71]

Netcraft which is apparently a security firm notifies me that my website has been setup as a phishing site against Netflix users (they employ Netcraft). I FTP in to my webhost and see there's a subdirectory www.netflix.com and within it are php files for unsuspecting users to login to their netflix accts.

How did they inject that into my site? I have a fairly secure non-dictionary password... do I assume they got my password and that was how it was done?

 

[Red Squirrel]

Do you have brute force protection like fail2ban? Without brute force protection it's not a matter of if but a matter of when, your password gets guessed. Is SSH running on a default port? Check your logs, you'll be surprised how often SSH is brute forced. By default it has no brute force protection.

I put a Linux box on the internet once with mostly default everything except a user account that had a somewhat basic password. (a "key board crawl" type), I forgot to install fail2ban, it was hacked in 10 minutes, and by the time I noticed my machine had already hacked 3 other machines (the bot script was nice enough to leave a log behind). It was kinda neat to see the whole thing happen actually.

I would change all passwords as it's something fast you can do right now, but look at installing brute force protection, then change passwords again after that.

 

[Crusty]

Machine can not be trusted any more. Wipe its drives, restore from CLEAN backups and go on your way.

 

[DaveSimmons]

The webhost could have missed installing security updates long enough for the shared server to get hacked without them needing your password.

 

[RossMAN]

My first step would be to contact your web host support unless you're running an unmanaged VPS or barebones web host. You get what you pay for.

Have you installed any scripts on your site such as image hosting, blog, forums, etc.?

YGPM