This afternoon I got back and went to my webpage... and found this
http://www.andrewpangborn.com
"Hacked by =inside"
My webserver control panel and ssh and ftp and stuff all seemed in tact. The homepage index.htm had been added to the server on Oct 22 around 5pm, so was the picture.
I started looking at server access logs and found POSTs using a "/prev.php" file, which was dated sept 25, although I dont remember ever actually putting any file like that on there. Its rather large at around 88KB. I did a "cat" command via ssh and read the comment at the top, it said something brief about being a php file editing/creating/removing file.
There are repeated POSTs in the log regarding that file, as well as index.htm, all from the same IP at about the time those files are dated.
They look kinda like this:
80.70.227.120 - - [22/Oct/2004:17:56:18 -0400] "POST /prev.php HTTP/1.1" 302 123
www.andrewpangborn.com "http://www.andrewpangborn.com/prev.php?c=e&d=%2Fhomepages%2F22%2Fd107367292%2Fht docs%2Fandrew%2F&f=index.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" "-"
I don't really know all that much about web security myself... its hosted by a remote server.
None of the content of the page appears to be changed... the regular homepage which is index.php is intact, as is all the content on the pages. No one really visits that site... so I'm not exactly sure of the motive.
I started updating another site of mine,
http://www.morrowindtips.com, which resides inside a subdirectory of the domain that got hacked.
I figure I'll call technical support of the hosting company just to let them know about the incident, any other course of action I should be taking? (or some advice in general)?
Thanks,
Vhockey86
hardware
prices 
