Hi, I have this particular server managed by one of the very popular and well known server management companies (I will not mention the particular one, because ruining their reputation is not my goal), and this server has had all of the index pages overwritten by a hacker (or whatever you'd like to call him/her) twice in the last week..... Both times it appears to be through files in the /tmp directory...... After it had happened the first time, I had the management company make sure the kernel was up to date (they successfully updated it for me) and I had them do their full security procedure (APF installation, BFD installation, optimization/hardening of conf files, etc.) and it still happened..... What are some things I could do to further prevent this?
To understand how to defend something, you need to understand how it was done.
If you ask the server management company 'how it was done' and they can give a resonable explanation, or you can work out for yourself, you will be in a better position to judge for yourself.
If you can't get a good answer from present company, then I'd obtain as much as info about this particular hack as you know and then ask others (and other server management people) for their take, I'm sure there are folks that can lead you in the right direction, given the right information.
You're probably running PHP without phpsuexec, there are malicious scripts that find all writable files on the server and inject content into them like iframe hacks for visitors and create new .htaccess files. Fun times
If you're lucky, all the pages that have injected code like iframes used the same string. I've got a script that can mass, find and remove the injection string if you need it just let me know. But this attack may be different, I'm not sure. Thanks for the feedback.