Be good if some did their homework before assuming all the time...:)
Dear Administrators
Your account was apparently compromised by a remote hacker, probably via your Wordpress package, and has been temporarily disabled. When we identify a customer account compromise, we must disable the site until the customer can resolve the problem. This protects all our customers from the potential impacts of the compromise.
Given that anonymous visitors have had unfettered access to your account for an unknown amount of time, you should audit your entire account and home directory for unauthorized files and/or modifications immediately.
You should immediately:
- apply any applicable vendor patches
- audit your Modwest account and delete any other unauthorized files
- change your account and database password
- if you use those passwords elsewhere, change them there too
- audit your code for unauthorized modifications
Specifically, your site was being used as part of a 'phishing' scam. Used to trick 'Citibank' customers out of their secure information. This was done via a malicious PHP file, which was uploaded to your account on Jul 5 at 1:13AM (MDT). Additionally, I see a large number of suspicious scripts in the /tmp directory of your account.
Please complete a full audit of your account content, and perform the suggested steps above.
When you tell us that these steps are complete and your account has been secured, we will be happy to re-enable the site.
