I had 2 sites get hacked. Thankfully neither one gets much traffic. The tool basicaly just uploaded a new index.html (he was from Turkey and doesnt like the Us...or China....or Israel....)
Both of these sites are add on domains from a third site.. (but the primary domain didnt get hacked)
I dont really have any scripts running on either of these 2 add-on domains that could be exploited. The one site is all of 5 pages and has a real simple script for a very brief survey (its a suicide prevention site and it was a little Do you want to kill yourself form)
Theother was for a plastic surgeon. It has a contact form that emails the results but that script is basically bullet proof...
so that leaves the main domain.... well here is where things become tricky. One of the guys here is using this flash/php CMS system that is (imo) probably the source of the break in.
The bad thing is he is pretty much convinced that the problem is anything and everything else but his cms is fine (it is complete crap and uses mod rewrite to generate pages in my 10+ years of web coding I have never seen a more backwards-assed CMS actually)
I checked all of my page and folder permissions and nothing looked out of place... I changed the password and got rid of some old files but I have the sinking feeling that whatever gave this clown access is still wide open
SO My problem is basically this How can i convince this guy that the CMS is what the problem is? I think he is worried it was something he did instead of the script itself PLUS hes been dicking around with it for a good while and he wont want to start over from scratch again. (plus he is higher up in the company than me and the bosses will listen to him before me...)
Im half tempted to say screw it and just wait for another blowup but I cant do that to a client....
First thing to check: Are you allowing SSH on port 21? If so, change it to some random high number, since that's what most script kiddies attack first.
What's the webserver?