Well I feel stupid.
I was notified today that marilac.malcolmhardie.com (ie this server) was apparently hosting paypal login spoof web pages. Somebody managed to crack one of the user accounts on the system and place a few files in the public_html directory.
Fortunately the pages were only there for a few hours, but it shows how important it is to check the logs regularly.
This is really unfortunate, although at least at the moment it doesn’t look as if the cracker got root access.
What is particularly annoying is that, as far as I can see, I have all of my software patched to the latest versions.
I spent much of the afternoon checking the server to ensure that nothing else has been compromised. It may be necessary (or advisable) for me to wipe the whole machine and reinstall.
It does explain the previous email though. I just wish that I had understood what was happening earlier.