My Site Got Hacked

So I go away for the Thanksgiving weekend and come home to find out my site has been hacked. The attack consisted of setting up some elaborate phishing attacks for multiple Canadian and US banks. The main damage was done at a site that I maintain for some friends of mine, namely, Will Stroet's site. It is in a subdirectory of this site, set up with a domain pointer. I had ftp access enabled to the willmusic.ca directory ONLY and so I had assumed that the attackers had come in that way, through FTP. Then I noticed 3 files in my drupal modules/month directory. That got be really worried that there is some sort of security hole in Drupal or that my SSH credentials had been compromised in some way, because there is no FTP access to that directory (or at least there shouldn't be).

So far I have changed email passwords for the 2 email addresses set up through my hosting company site5 and changed the FTP password. Next, I am going to change my Drupal passwords and ssh password.

The good news is that I haven't lost any data as far as I know. One file was overwritten but it was easily recovered from an old backup (it was a template file that hadn't changed since the last backup anyways).

Comments

They uploaded a bunch of files that are made to look like a bank's website and then they ask for your personal info. They'll do it on any site, no matter what is on the site. See Phishing at Wikipedia.org.