Having a bit of trouble at the moment with a virus which keeps on embedding itself in to a few sites I manage. First happened a month or two ago when 3 seperate sites, on 2 different servers, each with different ftp details got hacked. Basically a malicious script was inserted to the bottom of all files called index, header, or main. When someone loaded the infected site the script generated an iFrame which then seemed to connected to some weird .in site and IE notified my of a trojan on the site. In addition if you tried to login to the Wordpress backend you just got stuck in a redirect loop and couldnt access anything. Anyway, I cleaned it off the 3 sites and updated the security and everything - assuming it was a Wordpress vunerability that had been compromised. All was well until Monday when I discovered that once again 3 sites had been infected (2 were the same sites that were infected last time), again on 2 different servers with different access details. One of the sites I had actually taken Wordpress off completely which suggests it may not be a Wordpress specific attack....although so far it has only effected sites that either are, or used to be Wordpress so I am not sure. Anyway, it got me thinking that perhaps I had a virus on my PC which could be controlled externally to reinfect on demand without me knowing a thing about it. Some further reading, specifically on botnets and rootkits, suggests this is very likely to be the case and I have a Trojan on my PC that is taking FTP details everytime I connect to my sites via FTP and then at the owners demand infecting the files on my server. Problem is, I have done several virus and malware scans and have not found anything yet. I have even followed a detailed procedure suggested by Major Geeks and still nothing. The scanners I have used are: McAfee Avast! Super Anti Spyware Malware Bytes MGTools Ad-Aware GMER It seems whatever it is is very good at hiding and I perhaps need to know exactly where to find it to do anything about it. Obviously its worrying because not only can these people infect my sites at any time (which could potentially lead to Google bans) but they also have all the details they need to access my sites and do whatever they want to them! I have updated passwords but obviously if I have a trojan then the next time I need to update my site the Trojan gets the new password so it is only a very temporary fix. Anyone heard or experienced this before? Any help would be massively appreciated!
Hello, When your sites get infected have you found what was the trojan (iframe virus), you could scan your home directory with clamscan. You can install a login failure daemon on your server, so next time someone tries to brute force any ftp accounts on your server will be automatically blocked. Also check that file permissions are correct and directories.