That’s how I initially got alerted to the problem. Paypal contacted my ISP and they contacted me. It makes me very angry and I’d love for this guy to get caught, but the ISP said they see this happen more often that you would think and they don’t have a good way to track these guys down.
BTW I’m checking my logs in case I find something. Thanks for the comments so far!
I’m running WP on my own computer.
The main reason I’m posting here is because both times I got hit the fake paypal site was created as a directory under the wp-admin directory. Why would my scammer put his scam site within that directory unless that was the only one he could put it in? That’s why I’m concerned that some php file within wp-admin is allowing arbitrary code to be executed.
Is my logic sound?
This time I made the whole wp-admin directory not-writable by anybody. I’ve also changed all my passwords (WP, root, etc.). We’ll see what happens 🙁
