My URL has been identified as a phishing site

Question

Some months before ordered VPS at Ramnode

According to tutorial (ZPanelCP on CentOS 6.4) http://www.zvps.co.uk/zpanelcp/centos-6 Installed CentOS and ZPanel)

Today received email

We are requesting that you secure and investigate the phishing website identified below.
This URL has been identified as a phishing site and is currently involved in identity theft activities.
URL: hxxp://111.11.111.111/www.connet-itunes.fr/iTunesConnect.woasp/ //IP is modified (not real)
This site is being used to display false or spoofed content in an apparent effort to steal personal and financial information. This matter is URGENT.
We believe that individuals are being falsely directed to this page and may be persuaded into divulging personal information to a criminal, if the content is not immediately disabled.

Trying to understand. Some hacker hacked VPS, placed some file (?) with content that redirects to www.connet-itunes.fr/iTunesConnect.woasp?

Then questions

1) how can I find the file? Where it may be located? url is URL: hxxp://111.11.111.111/ IP address, not domain name

2) What to do to protect VPS (with CentOS)? Any tutorial? Where may be security problem?

I mean may be someone faced something similar....

Just want to note, that directory /folder www.connet-itunes.fr was placed in etc\zpanel\panel and not in directory of my websites.

Answer 1

Some hacker hacked VPS, placed some file (?) with content that redirects to www.connet-itunes.fr/iTunesConnect.woasp?

No, asumming 111.11.111.111 is your server, someone has managed to put some files on your server that are accessed using the /www.connet-itunes.fr/iTunesConnect.woasp/ path. It doesn't redirect to www.connet-itunes.fr, it's just supposed to make the user think they are on that website. Usually they send out official looking emails (phishing) that supposedly contain a link to an real website. That link actually goes to a fake website hosted on some hacked webserver (i.e yours). The website looks like the official website and will ask them to provide some sensitive information (which will be sent to the hackers).

how can I find the file? Where it may be located? url is URL: hxxp://111.11.111.111/ IP address, not domain name

This should be fairly easy. For a start you could just search your server for 'itunes', which, if they've actually created a directory called www.connet-itunes.fr, will find it. Alternatively, your IP address should just go to the default website on your server. So wherever the local path for your default website is, look there. Also check for hacked .htaccess files as they may have used rewrite rules to try and disguise their files slightly.

2) What to do to protect VPS (with CentOS)? Any tutorial? Where may be security problem?

In most cases it's a hacked web application. Old versions of popular programs like Joomla & Wordpress are the favorite targets. A quick (certainly not complete) list of things to check would be:

• Make sure all 3rd party applications are up to date
• If you developed your own website, try to make sure there's no holes that could allow users to upload content they shouldn't, to places they shouldn't
• Firewall any ports you don't need access from the global Internet (SSH, FTP, etc)
• Make sure all your passwords are secure if you do provide access such as FTP from the Internet
• In general, try to limit access to more 'dangerous' facilities (database management, administration consoles) to just the hosts that need to be able to access those features, if possible.