The hacker collects hundreds of such credentials and then uses a program to log into each server, download a file, modify it to append an iframe or block of obfuscated JavaScript or PHP, upload the file, download the next file, modify, upload, next, etc. The files downloaded may either match a set of names (such as only index., default., home.* etc) or just any html or PHP file.

The appended code is often either an iframe that is visibility: hidden or of 1×1px size, a <script> sourcing a remote JavaScript file on a dubious domain, a collection of Javascript obfuscated by some clever str.CharCode’ing, or a block of base64_encode’d eval()’d code. Unobfuscating the code, the result is often an iframe. More recently, some clever attackers are inserting remote shells, granting them backdoor access to your server.

Once all the files have been modified, the attacker logs out. Visitors to your site will be subject to malicious code from the domain linked in the iframe with the intention of installing viruses and rootkits. Among other functions, these viruses will install a keylogger to sniff FTP credentials… and the virus continues spreading.

The attacker is using your credentials, so they can only access files that you have access to. Sometimes, they will upload an additional file in certain directories with an encoded shell, allowing them return access to the server (the common ones are _captcha.php in /forums directores and img.php or gifimg.php in /gallery directories). If you host other domains on your server, as long as the user for the affected domain has no access beyond their current domain, others will not be affected.

There are two ways to stop this sort of attack — prevention and proper antivirus. The attacks can be easily deflected by use of a firewall and limiting FTP access to only a few select IPs. The attackers are not attacking from your own workstation (yet), but rather a server elsewhere in the world. Using proper antivirus on all workstations with access to your FTP account — or, better yet, not using Windows XP — will help prevent the original infection from occurring.

If you are infected, it’s fairly easy to clean the messes up using a bit of clever sed, depending how good you are at spotting the injection and making effective regexes. Otherwise, backups backups backups — always have backups! …Oh, and change your FTP password or they’ll be back tomorrow.

(Note: these commands contain a Plesk bias, as I see such compromises overwhelmingly on Plesk for some reason…)

Identify the files that have been modified:

mkdir /home/rack/ticketnumber
cd !!$
cp /usr/local/psa/var/log/xferlog.* .
gunzip xferlog*
awk '$12 != prev {print $9; prev=$12}' xferlog* | egrep "\.php|\.htm|\.shtm|\.js" | sort |uniq > ftp_modified.out

Search through the result set for common changes:

cat ftp_modified.out |while read line; do grep -H iframe $line >> iframe.out ; done

Review this output for suspicious iframes. Often they have the visibility:hidden attribute, are Russian or Chinese, listen on odd ports, or point to a CGI script. Once you’ve identified one of these, review the file it was found in for unmatched malicious content, usually in the form of obfuscated JavaScript. Note each of these “signatures”.

Generate a regex tight enough to match only such malicious content, but be aware of random elements put into the signature so as to thwart cleanup attempts.

Run this regex against the modified files:

cat iframe.out | awk -F\: '{print $1}' | while read line ; do sed -i 's/<iframe src=.*\/in\.cgi\?.*<\/iframe>//g' $line ; done

Immediately change the passwords for the affected domains, and be sure to advise the customer that the infection will recur lest they find the breach on their side — the infected desktop — and clean it up. Most antivirus products can catch and clean the common rootkits and trojans, but be aware that each scans differently and will find different things. If one scan comes up clean, scan again with another AV product, and likely triple-check as well.