Hello Stefan,
Just to let you know one of our customers had like 10 sites on one of
our servers, and all his sites were attacked by some 3rd party that only
wanted to post malware on the Index files, and we traced it down to this:
http://www.bitdefender.com/VIRUS-1000383-en--Trojan.PWS.Tupai.A.html
The customer had this virus that affects IE running on his computer and
the passwords were being stolen from his Filezilla app (virus also
steals from a lot more different FTP clients and then it submits that
info to a zombie distributed network that uses that data in order to
connect to the target sites and perform some changes that will allow
either direct or indirect manipulation of the site's contents).
The attacks were constant (like 1 access every 2 seconds) and from
different IP's all the time.
We blocked the initial hammering, by only allowing FTP access to our
national Internet providers IP ranges.
But we discovered that some infected PCs, part of that zombie
distributed network, were also in our country, so a few logins would slip.
We found it very odd that only these customers sites were being attacked
and that no matter we changed passwords it kept happening again.
Eventually we heard about the virus and we managed to get a removal tool
for the customer and allas, that was it...
I hope this helps you out.. If its anything else, i would love to hear a
reply If you manage to track it down.
Cheers!
Gustavo
Steffan escreveu:
> Hello,
>
> I have a cleint with sites on 3 different servers
> Now several sites ware hacked
> One person/ or script uploaden a .htaccess en random php file in every
> directory
>
> The client had random passwords
> His ftp program has 50 + ftp sites on it
> But the only sites that are heacked are sites on my servers
>
> It was normal ftp logins but could there be anything i can check on the
> servers to see if the problem is here ?
>
> Thanxs
>
> Steffan
>
>
>
>