Quite often we find that websites have been infected by stolen FTP login credentials (username and password).
These credentials are stolen by a virus on a PC that has FTP access to the infected website.
The virus in many ways.
First, if you're using a PC with one of the free FTP programs like FileZilla, then you should know that many of those programs store the saved login credentials in a plain text file on the PC.
If you're on Windows XP and using the latest FileZilla, look in:
C:\Document and Settings\(user)\Application Data\FileZilla\sitemanager.xml, where (user) is the currently logged in user to the PC. This is usually administrator.
The PC gets infected by a virus, probably from the user visiting an infected website, and the virus looks for these files, reads them and sends the contents to a serverwhich then uses valid login and password to infect the website.
The hackers will usually put backdoors on the website as well so they can re-infect the website after the owner has changed the FTP password (step #1 by the way).
These backdoors can be .php, perl or other files.
The second way the virus works is by sniffing the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to "see" and steal the login credentials this way as well.
I have a youtube video that shows how easy it is to sniff FTP traffic:
The only way to avoid that method is to see if your hosting provider supports SFTP or FTPS. Those protocols are encrypted so it's more difficult to sniff.
So, first change all FTP passwords. I recommend creating a different FTP account for each user, that includes developers, webmasters, etc.
Then make sure that FTP logging is activated. Many hosting providers have this off by default.
With these two steps, if your site does get infected again, you can look in the logs and see who's FTP account was used to infect the website. That's the person with the virus.
Now, where to find the infectious code (malscripts).
We generally find it in these locations:
- Before the opening html tag (<html>)
- Sometimes right after the opening html tag
- Immediately after the closing head tag
- Between the closing head tag and the opening body tag
- Immediately after the opening body tag (you may have to scroll to the right to see it)
- Right before the closing body tag
- Between the closing body tag and the closing html tag
- After the closing html tag. (again, you may have to scroll to see it)
In .js files it's usually in the last lines of the file so it doesn't negatively affect the good code.
Clean the files or if you have a known, good backup, just restore your site. However, that won't get rid of the backdoors. Those are too many to list and there are a multitude of variations as well. If you have a file that you suspect, if you provide it to me, I will inspect it and let you know.
I hope this helps. This is my experience from cleaning over 20,000 websites during the past 3 years.