今天想上下我网站的时候忽然发现403，一阵纳闷，就ssh上来看到底咋回事，发现我网页folder变成了iambencn.com_DISABLED_BY_DREAMHOST__COMPROMISED，于是就更纳闷。dh也没给我发信啊，怎么就直接这么封了？然后联系上客服，给了send了这封mail。

Hello,

We have received a report of what appears to be a phishing page that has
been uploaded to your account. It would appear that phishers have
uploaded a phishing site to the following location:

http://www.iambencn.com/global/online.regions/

as well as a backdoor shell here:

http://www.iambencn.com/doc.php

We have deleted the page in question, but would appreciate it if you
could go through your account and update any 3rd party scripts under it -
particularly those that either include email functionality or interact
with the file system in some manner. Old versions of WordPress, PHPBB,
etc. are common causes for this sort of thing, as are openly available
upload scripts. You should also look to see if any suspicious files can
be found that you did not upload yourself.

Helpful information on dealing with exploits can be found here:

http://abuse.dreamhost.com/cracking/#exploits

Note that I've disabled the domain until you can complete the upgrades.
Please do not re-enable it until it is secure.

If you have any questions, please let us know.

Thanks!
Robert R

大意就是被人hack了，装上了后门。我global的目录放的是全局的js，也放上了个index.php，照理应该不存在什么安全隐患。后来查看了下目录，发现了两个文件：

• file.php - decode之后就是个php的uploader；
• core - 是个java vm。

这得要什么权限才能把文件上传到根目录上来？我仔细想了想：

• 装了个DBManager，可是以前也装过，没出过问题，也没搜出有人装出过问题，所以排除；
• 刚从macidea下了k'ed的Transmit 4.0.4没几天，只能说这个嫌疑最大了。

不过还是没想出个究竟。

sigh 哪年哪月才有那闲钱买个transmit回来用啊？有心无力啊moll兄⋯