One of my customer have his website hosted on a Windows server (hosting company), they get hacked by Jablay Crew (massmailer).
Jablay Crew team was able to upload 3 files one that contain massmailing script, the website don't have any form, no DB or no upload script. So i'm wondering how they upload file to the website directory?
Is this a server security hole or the crew just bruteforce FTP username and pw?
Any suggestion or solution to fix the problem is welcome