A few weeks ago I had a client email me with this message:
Just got this. I haven't made any changes on the site recently, have you?
> Subject: File alarm for My website
> The following files generated alarms:
> ALARM: /home/abc/public_html/404.php was modified: 01/02/2013 01:29:42
> If you did not modify these files - please check for possible hackers on your site.
This alarm came from a script I’d installed on his site a few months ago, which checks for new / modified scripts on the server. After getting his email, I checked out the file, and determined it was indeed a “suspicious” file, and that a hacker had indeed breeched the site.
After removing the file for safety, I contacted the hosting company, who confirmed that the file had been uploaded via ftp. Someone had leaked the ftp password, so we changed it immediately. In all likelihood the password had been given out at some point to a designer / programmer to upload something, and never changed.
So two lessons here:
1. Change your passwords regularly – and especially after you have changed programmers or developers. Also track when you give out passwords and to whom.
2. Monitor your site regularly for suspicious activity – hackers can get in from multiple avenues, sometimes not requiring passwords at all. So check and investigate any changes to your code, and try to determine how it happened.