Well I knew it could happen one day but I have have been safe for so long I though it would never be this bad.
I received a report that a client had gone to their site and the browser had poped up a warning “The webpage you are about to open contains a virus” hmm not good.
So logged in via FTP and sure enough the home page and other index files had been updated and had an iframe inserted in the code, fortunately I hd copies of the infected files and uploaded them all good.
Investigation on the server revealed that the files had been updated via FTP so the password had been used, as multiple users had FTP access the quick and simple fix was to change the password to restrict access and up security on the rest of the site. Site repaired and changes made to the admin area of the site I thought I would check things and logged in. Bad Move on my part!
Browser locked up loading the page, WHAT!!! yep you guessed it the admin page had the same hack and I had missed it. I had not noticed but to compound the problem AVG had not started for some reason when the PC had booted up that morning so I did not get a warning. I shut down the browser but the damage was done the web page had silently contacted a site in China using a hidden iframe and downloaded the trojan. Little did I realise that the particular nasty was the same one that had caused the problem on the website. I wiped everything and loaded it from offsite backups, checked everything and all looked good and then fired up the MIA Antivirus and set it running.
Oh it found stuff and went about its business finding and quarantining infected files, whew got it or so I though.
Next day thought I would check things again just to make sure things were Ok on the site and what do you know they had the iframe hack again but only a few files, this is odd. Changed password again and re upload the files, checked back during the day and no further issues.
After that I went on to do some work on another site and uploaded some files, 20 minutes later the site goes off air. What do you know same problem, iframe hack but this time as the site is php the inserted code actually broke the page. Whats the chances of two sites for different clients on two different servers having the same problem, what could be the common point, yep ME!
A little time doing some research and I found out just what it does, apart from installing itself in various locations on your PC it infects the resident antivirus program and looks for any FTP program to use and any sites you access it edits every possible home page inserting a link back to its maker. As I manage quite a few sites this is a major issue. AVG did not get everything so first delete it along with filezilla as it is now infected and install fresh copy of Avast (6 hours for a full scan) and ran that, ran malwarebytes (4 hours) to pick up any others and found another set of infected files. So went looking for another AV program and found some very good articles about Avira AntiVir including some about this particular trojan and the success at getting rid of all infected files.
After installing and running a full scan (9.5 hours) it found 93 infected files various viruses and trojans as well as a few others it matched through its heuristic scan so I can now report I am completely virus and trojan free
Just to be sure I set up a fresh copy of filezilla and set up an account on a test domain, logging on and uploading and downloading files for a couple of days.
As a precaution I had to change the passwords for every other account that the FTP program had in its list, although checks of all sites using another PC revealed that no other sites were compromised it was still better to be safe that sorry.
So be warned keep your AntiVirus measures up to date and make sure they are running!