I run a number of websites on a shared hosting account. On three separate occasions the sites has been defaced (replacement of the index file) by three different groups.
My questions is, how do I track how the hacker gained access and pinpoint the area of entry, so that I can do something about it?
The sites that are defaced are all accessible using one FTP account - other sites I run that aren’t accessible through that account aren’t defaced. It’s not a password issue since I have changed the FTP password on multiple occasions with no luck.
Also, I found files named “robert_you_suck” (http://sota.gen.nz/compat2/robert_you_suck.c ) on the FTP, which has been uploaded by an unauthorised party.
EDIT: Found more files that have been uploaded. They all originate from a folder where Joomla is installed.
Any advice on where to get started on putting a stop to this is much appreciated.