>Since my file has never been hacked - as far as I now

now you know ;)

The most common attacks are via some buggy script on your site or via the server your site is hosted on (if it's a shared server). Quite a few hosting companys run unsecure php-configurations that allow local attackers to put files and, thus, code into your directory.

To prevent: check where it came from. was it a buggy script on your site? was it a local attack on the server? If you're on a dedicated server, chances are the whole system is taken over, in that case: backup your stuff and have someone reinstall the server from crash. then, carefully add your stuff again, checking that you don't just put "infected" code back up.
You can always get yourself a programmer to analyze the problem and audit your scripts. And you might want to look into switching hosts if it turns out to be a security problem at your provider...

janharder,

thanks for your answer

It is my server hosted at [snip]

it seems the directory was installed yesterday inside another directory, so may be it is someone that knows the site more than a server problem, may be someone that worked on it.

it was installed inside a directory

[edited by: phranque at 6:52 am (utc) on Mar. 13, 2009]
[edit reason] hosting specifics [/edit]

You say the spam directory was installed inside another directory...what was that other directory holding?

My guess is that the new directory was placed in the same directory that held whatever vulnerable script it was that they exploited.

matthew,
the directory didn't contain any script but only other directories containing images files and one htm file each.

Do you have access to raw apache log files? How about ftp transfer logs? Those would be my first choices, look through them around the time the files were created. If you cannot access them, ask your provider - they should be interested in working with you on this, it might well be a problem on their server.

what do you mean "someone who worked on it"? do other people work on the site besides yourself? have you checked with all of them, maybe someone transfered the wrong directory. do you trust all of them?

The first thing you should do is change ALL passwords, then investigate.

Agree with wheelie34, lock it down and disable the email function, since that's spamming right now, until you resolve this.

Change your login password as well as your database password immediately, you may need to update the config file with the new information afterwards.

The hardest part will be finding the weakness, update everything the site uses to the latest version for starters.

this thread may have some useful information for you:
How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]

thanks all for the great advice