A backdoor hack on my ftp


#1

dreamhost recently informed me of a hack. I am attempting the steps they outline but so so lost. Can someone explain what is this SSH.


"Looking for FTP/SSH Hacks

Since recent FTP/SSH hacks are easiest to spot, start eliminating there. Log into your user via SSH and run the following command: "


#2

Can you elaborate on this part a bit? (it might make it easier for someone to offer advice).


#3

Sure here is a portion of the email.

During a recent security scan we have identified that one or more of your hosted sites show signs of being compromised as they are hosting known, malicious web-based backdoors. Specifically, the following file(s) have been accessed by intruders and have been associated with unsolicited bulk email, denial of service or other abusive activity:

We have identified the following known backdoors under your account:
/RRRRR/RRRRRR/RRRRRRRR.com/doc.php


#4

First thing to do is delete that file (note that it might have been renamed by the robot that found it).

Was that the only file discovered?


#5

I did, also found within the root a file called backdoor.something (dont remember the ext.) but have deleted that twice now.


#6

Change all of your passwords. All of 'em.

From SSH/FTP to panel to email. And if you used the FTP password anywhere else, change that too.

Unless you change 'em all, and delete all those files, the little creeps just come back over and over and over again :confused:

If you’re using anything like WordPress or Drupal, make sure you upgrade everything, too.