I have a site hosted on Dreamhost and it is being repeatedly exploited. The attacker replaces the .htaccess file that redirects anyone who arrives with a search engine referrer to a file named common.php (which they upload) that sends them to scam pharmaceutical sites.
I am not running WordPress, nor do I have any other third party applications running. I've gone through all the incoming requests for the sites and it doesn't look like someone is exploiting one of the files on the site. I've also tried scanning wtmp to see if someone else is logging in as my user, but haven't seen anything.
Anyone else seen something similar? I'm not sure what to do next.