My website was used by a freak hacker as a phishing site! What can I do?
Solution 1:
If the hacker has managed to upload code to run, he probably has comprimised the server rather than the app. (this is just an initial hunch - he could have comprimised your server because of your app...)
Some basic pointers and things to do:
First off, change your passwords - All of them - Control panel, ftp users etc. Pick strong passwords that will be less vulnerable to dictionary / rainbow attacks. (use non alpha numeric characters, upper & lower case etc)
Check that no other users have been set up on the domain - if they have remove them immediately.
Pull all your code from the site and restore it from a fresh backup that you know is safe. Redeploy from your private source control if possible.
Ask your host to check that all security patches and updates have been deployed to your server.
Finally - time for a code review - need to check for SQL injections, XSS attacks, XSRF Attacks.
Solution 2:
If you use phpBB or Joomla or something like that, you always must have the latest version installed.