We have one customer which is non-stop hacked.
Usually these were just trojans sending SPAM, but today it got even worse.
Every folder on his account has an info.html file with normal user permissions:
-rw-r--r-- 1 gatek89 gatek89 77 Apr 16 19:18 info.html
and such content:
<meta HTTP-EQUIV="REFRESH" content="0; url=http://grandscenter.ru/?tr=6475">
But on one domain all php were replaced with this redirection:
drwxr-xr-x 2 gatek89 gatek89 4.0K Apr 16 19:21 cgi-bin
drwxr-xr-x 2 gatek89 gatek89 4.0K Apr 16 19:21 images
-rw-r--r-- 1 gatek89 gatek89 20K Feb 19 01:20 license.txt
-rw-r--r-- 1 gatek89 gatek89 33K Mar 27 18:50 lottoland.jpg
-rw-r--r-- 1 gatek89 gatek89 77 Apr 16 19:20 readme.html
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-activate.php
drwxr-xr-x 9 gatek89 gatek89 4.0K Apr 16 19:21 wp-admin
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-blog-header.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-comments-post.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-config.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-config-sample.php
drwxr-xr-x 7 gatek89 gatek89 4.0K Apr 16 19:21 wp-content
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-cron.php
drwxr-xr-x 12 gatek89 gatek89 4.0K Apr 16 19:21 wp-includes
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-links-opml.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-load.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-login.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-mail.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-settings.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-signup.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 wp-trackback.php
-rw-r--r-- 1 gatek89 gatek89 68 Apr 16 19:20 xmlrpc.php
Example of file:
cat xmlrpc.php
<?php
header('Location: http://grandscenter.ru/?tr=6476');
exit;
?>
I've checked all passwords, all FTP logs and nothing...