Recently I had some issues with a site I maintain, someone had uploaded two folders and it wasnt me, I contacted my server. Here's what they had to say :
"Thanks for contacting us. Checking the logs and the files, it looks as though this was actually down to the gallery plugin that you had on your site being compromise. There is nothing showing in the FTP logs in relation to these folders being created and uploaded, therefore it would seem that this as said, was down to the script being compromise. I would recommend that you investigate this gallery and ensure that this is running the most up to date version to ensure any security or exploits in this code are resolved.
If you have a known clean backup of the site, I would suggest that this is uploaded to your pacakge, as it could be that once this script has been hacked and tampered with, slight changes would have been made to leave this open for possible returns. You might be better to remove and re-install this script and gallery in regards to ensuring the files."
Obviously this is super concerning. And a real shame as this is by far and away my favorite thing about GetSimple.
Update! Think I upset the guy at the host, but they sent me the log hope it helps :
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:33 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:58 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
These guys are being dicks.
"Thanks for contacting us. Checking the logs and the files, it looks as though this was actually down to the gallery plugin that you had on your site being compromise. There is nothing showing in the FTP logs in relation to these folders being created and uploaded, therefore it would seem that this as said, was down to the script being compromise. I would recommend that you investigate this gallery and ensure that this is running the most up to date version to ensure any security or exploits in this code are resolved.
If you have a known clean backup of the site, I would suggest that this is uploaded to your pacakge, as it could be that once this script has been hacked and tampered with, slight changes would have been made to leave this open for possible returns. You might be better to remove and re-install this script and gallery in regards to ensuring the files."
Obviously this is super concerning. And a real shame as this is by far and away my favorite thing about GetSimple.
Update! Think I upset the guy at the host, but they sent me the log hope it helps :
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:33 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
rcosstickphoto.com-access_log.7.gz:rcosstickphoto.com 207.255.175.25 - - [05/Mar/2012:20:49:58 +0000] "GET /it/nc-peace-sign-free-needlepoint/ HTTP/1.1" 200 809 "http://www.google.com/imgres?q=perler+bead+peace+patterns&start=179&um=1&hl=en&biw=1600&bih=666&addh=36&tbm=isch&tbnid= hH5RVBXilR1U1M:&imgrefurl=http://rcosstickphoto.com/it/nc-peace-sign-free-needlepoint/&docid=l2YHtCH1gM0w6M&imgurl=http:/ /0.tqn.com/d/crossstitch/1/0/b/q/-/-/peacesign.jpg&w=972&h=999&ei=oyZVT9aWMYGx0AHG5rz_Dw&zoom=1&iact=rc&dur=78&sig=115058 349598720292892&page=7&tbnh=146&tbnw=142&ndsp=31&ved=1t:429,r:20,s:179&tx=198&ty=-3" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SearchToolbar 1.2; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbGAM1/5.12.2.16749)"
These guys are being dicks.
djr.heliohost.org/me