need help with a website hack

One of my clients had some files put on his site by a third party and I'm looking for suggestions on how to determine what happened. The files were political in nature and it's clear that the hacker had targeted the client for political reasons. I noticed it because his bandwidth usage shot up very quickly yesterday. Links from various message boards were driving traffic to the site.

Ok, here's what I know so far:

1. client is running phpBB 2.0.4
2. client used what appears to be a safe password (random letters and digits). He used the same password for both the hosting account and phpBB.
3. hacker installed files in a directory called 'www': /home/username/public_html/www
4. the files were php and image files
5. one of the php files included a mysql login for another client on the server
6. the other client's database contained text being served from index.php in the 'www' directory.
7. it appears that the other client has never logged into his account (no lastlogin date)
8. the other client never changed his original login password
9. the other client requested SSH access but was never given it as he didn't respond to my request for ID
10. the hacked client never had SSH access either

This is on a cpanel 6.0 machine. I've downloaded log files, backed up the relevant accounts, and deleted the files placed by the hacker.

What should I be looking for and in what files?

Thank you.

Scott

 

 

 

 

Top