Someone uploaded a Paypal phishing page onto my server. I was alerted to this by my ISP and other readers. I couldn't remove the page with FTP. Had to use higher permission. After the page was removed it would come back a few hours later. Everytime we delete it would come back. The file was uploaded to my included folder. I have now completely deleted the included folder hoping that if the folder is not there, it can't write.
We think a script has been install on the server but don't know where to begin looking for it.
