I think I may have been hacked. I ran a scan across my space and discovered the following:
-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/insta2.php
-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/private/insta2.php
-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/plugins/insta2.php
-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/templates/insta2.php
-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-21 00:08 ./theirtake.com/gallery2/g2data/insta2.php
You can see that these files (all with the same name and filesize) are owned by somebody called ‘dezcombz’, and have a file date in February 2012. I think that’s when the big hacking attack was made on Dreamhost.
They have ‘read/write’ permissions for the owner (‘dezcombz’) and read permissions for other users.
I can’t do anything with those files, because they aren’t owned by the my username . So I can’t remove their permissions or delete them.
Can someone at Dreamhost delete or disable them (remove their permissions), assuming you agree they are probably part of a hacking attempt?
Looking at the code in the file, it looks like it might be pulling something in from another IP address.