So, one of my less important sites got hacked the other day from 188.8.131.52 via a FTP hack possibly. Having looked into this further it appears I am not alone as per the following sites comments :
And there is probably more !. I was lucky enough to spot the hack less than 24 hours after it happened. So you may be asking what was the hack and what did they do to my site (or if your reading this what have they done to your site) well for a start my .htaccess had been modified with redirects and on the root of my public_html was 2 directory’s one called “wetsuits” and the other called “kawaski”.
Wetsuits – this directory had 530 pages in total about 20Mb each link took you to some suspect site that said you had a virus, you know the type I mean. Also a bravia.php in this folder similar to the file below.
Kawaski – this had two files error_log and merge.php which seems to be some form of script they used to do it possibly. Each of the files in here contain site content that the script has imported.
According to my server logs they got in via FTP with my master password, my host says they got in via a PHP hack on the site, strange either way, but my host has now blocked this IP from all its servers.