jokmontoya

@ghettocottage I had the same problem simultaneously in 3 dedicated servers, different providers.

Maybe someone in your hosting company have a superuser with full ftp access to users folders has been infected.

Our was files was modified over FTP I saw the ftp server logs.

I have thought about that too, Filezilla store passwords in plain text, it is possible.

Look at: c:\Users\<your user>\AppData\Roaming\FileZilla\sitemanager.xml

A simple xml file with easily readable passwords.

The files are modified over ftp. I checked it on our servers ftp log. All of them, only index files, were accessed by the same IP located in the Republic of Moldova. That IP could be the from the attacker or a zombie infected PC controlled from another country.

The moment one of those index files is visited they upload a randomly named php (bush.php,thai.php,nba.php) file with the viral charge to the same location.

Our theory is that we have a local windows trojan that is catching our ftp passwords. Some of the PCs have been formatted today by paranoid teammates. We have to check 3 more Windows PCs that are away from the office, they are offline until we can have them on Tuesday. We haven’t found the trojan but may have been in one of the formatted PCs or in the other 3 that we have to check.

I advise you to stop serving the webs until they are cleaned, changing all of your ftp passwords at least, check your DB passwords too if you have any local Mysql client. Our software with ftp access was Total Commander, Filezilla and PSPad, for mysql it was HeidiSql.

If you have ssh access I can provide you with some commands to do a fast search and cleaning index files and to delete uploaded php files.

I have same infection in 3 dedicated servers, all of them infected from 17:00 hours to 21:00 hours 27/04/2011 one of them have a just installed WordPress without any plugin in it. The other two dedicated servers in different providers are infected too, one of them only have a Prestashop site installed but protected by password because we was testing it.

I think this must be a infection on one of our team computer, the third server is fully unconnected from the other 2 and without public access and the index is infected.