Need help.. Server hacked

My server has a security whole somewhere that I can't find. I run the latest version of Plesk.

Basically, someone is setting up fake ebay landing pages on my server. The directory is always .cgi/.eBay and the files are all owned by root (even though I've changed the root password 100 times)

Root can't delete the files and the chattr command is not on the sever so I don't think the files could be set to immutable.

The files are always in a virtual host directory. This is the 3rd time.

Any ideas?

Thanks.

CS

 

 

 

 

Top