server with ISP3 got hacked?

Something very strange just happened on my server. This server is running ispconfig 3.0.3.

This server has been running for quite some time already. I just created a new website and ftp access. Around couple hours later, I checked the website and found strange files in the root folder of the web. Eg, /var/www/sites/web55/ a file called newstand.tgz and folder called newstand. In that folder I think it is drupal software but then I removed it. I then moved the newstand.tgz into the web folder thinking it was uploaded wrongly by the web team.

However upon asking, nobody uploaded the files. Someone pointed out the newstand.tgz files is actually a joomla software files. I checked and it is joomla. So maybe the folder that I removed is joomla or drupal. No sure cause I already removed the folder.

Also, the FTP user I created have the home directory in /var/www/sites/web55/web which I specified. Cause I was afraid the web team will upload the files into wrong place.

Could it be possible that the server is compromised? I have checked the ftp logs and system logs but nothing is found. Anyone have any suggestions?

 

sorry..false alarm. Found out it is someone from out of office who did that with our root password.

Dang!! scared the mess out of me.

Sorry for the false alarm.

till, please close this thread or delete if you want.