I have noticed that a new folder was added to website and it was used as phishing from our site. I think, it was added few days before. The added code page is showing "Reported Web Forgery!". I have hardly removed that folder because of permissions.
Now, what should I do? How can I check how it was hacked?
Thanks
You should not try to fix it and should start again from scratch as that is the only way to be sure there is nothing else hidden away which you are not aware of - there is an amazing post already here on SF at How do I deal with a compromised server? which gives some brilliant advice.
The first thing you should do is to change passwords, and check for newly created accounts. Technically you should treat the whole system as compromised until you do a full wipe and re-install. Even backing up is risky after a break-in, as you could backup tainted files, but that's a trade-off, as always.
Are you hosting the site yourself? If not, your best approach would be to notify your hosting provider. Hopefully they have logs of activity, or can access yours. They're also in the best place to surmount your permissions issues.
If you are, your logs are usually somewhere like /var/log/, depending on what you were running on the server, different services were likely compromised. /var/log/auth.log is a good place to start.
You mention deleting folders. Deleting information isn't the best way to find out what happened, as there could be clues in the files left behind. You should certainly move them, as your server could be being used for nefarious purposes at the moment.
