Finding vulnerabilities in code?

Mattachoo

My brother works for a company as a graphic designer. A few years ago, I helped him out with the website by doing the PHP for it so he could add new information dynamically using PHP instead of uploading a new HTML file via FTP (The site gets updated almost every day).

He got an email today from the host that a phishing site had been installed on the server. The page looked like a legit log-in screen for a bank, but it stole you information instead. He now needs to go back through and look at the code on the site to find the vulnerability that allowed this malicious user to place this malicious code on the site in the first place.

Now I made this site a while ago, and didn't know anything about security much then and don't know too much about it now either. So my question to you guys is, what should I look for? Where might this vulnerability be? Would it be only when I submit forms, or when a form has someone upload information from their harddrive to the server? What might these people have been able to exploit?

Keep in mind the malicious user was able to create a whole directory and upload these scripts to that directory. Any help pointing me in the right direction would be helpful. What to look for, how someone might do this, etc.

Thanks for the help.

laserlight

Well... maybe since FTP was used instead of SFTP, an attacker intercepted the login credentials and thereby gained access to upload to the server. In such a case, no amount of security fixes to the website itself will solve anything. If this is the case, the safest option would be to change the password, wipe the account clean and start from the most recent untainted backup, this time using SFTP instead of FTP.