All of my index files were hacked at about 3am this morning (August 12th, 2009) with an iframe tag inserted.  After not finding anything suspicious in the web logs, I checked the FTP logs (under the FTP Manager icon of the Control Panel).  Then I found it.  Someone logged in with my primary FTP username, and then proceeded to download each index file one by one, modify it, and upload it back.  The strange thing was that every file access showed a different source IP address -- even for the same file.  So a particular file was downloaded by one IP, then uploaded a few seconds later by a different IP.  So obviously they were masking their IP somehow.  I'm assuming it was some kind of bot.

The thing I'm really concerned about here is that it was my FTP account.  I have a very secure PC, with an up-to-date virus scanner that scans the whole PC nightly, a firewall, and a router.  I don't use wireless, nobody uses this PC but me, and my FTP client doesn't store the passwords in plain text.  I just don't see how anyone could have gotten the username and password from my PC.

This same thing happened recently to two other people I know.  One of them was at the same time today, around 3am.  The other was about a month ago.  I can't figure out how someone is getting all of our usernames and passwords.  Surely we can't all be infected with a keylogger that our virus scanners are missing.

Anyone else notice their index.html and index.php files modified today?

Russell

Hi, and thanks for the reply.

Yes, I'm sure that's good advice, and that was definitely the first thing I did after discovering this, but I already had a very secure password. It was 14 characters with a number, and not in the dictionary.  So I can only think of a few ways that someone could have gotten it:

1. They monitored my FTP connection, and got the username and password in plain text.

    This seems very unlikely since I don't use wifi and I'm the only one that uses this PC at home.  Someone at Time Warner Cable, my ISP?  Seems equally unlikely.

2. They guessed the username and used a brute force attack against the Lunarpages FTP server to get the password.

    Almost impossible, especially since Lunarpages' server would have blocked a repeated brute force attack.

3. They gained access to the FileZilla (FTP client) encrypted password file on my PC and decrypted it.

    Also unlikely, since my AVG virus scanner hasn't detected anything, I have a firewall and a router, and anyway, the file is encrypted.

4. They used a keylogger on my PC, that my virus scanner hasn't detected.

   Again, seems unlikely, and I don't normally type in my password when I connect via FTP.

5. They got my username and password when I logged into the Lunarpages web site.

   I'm not sure how this would happen, but I mention it because the username they used was my primary FTP account, even though I had created several other FTP accounts.  I don't think this is a coincidence.  Since the primary FTP account uses the same username and password as my web username and password, I wonder if they could have gotten it somehow when I logged into the Lunarpages web site.  It wouldn't have been the Control Panel, because it's protected via htaccess (the browser prompts you with a popup window), but logging into the main web site is different.

6. They compromised Lunarpages' username and password information.

   This seems unlikely as well, and I'm not pointing any fingers here, just pointing out that it's one of the possibilities, just like problems on my PC are possibilities.  But it would explain why three separate accounts owned by three separate people on three separate servers have been hacked recently using the same method of entry: FTP usernames and passwords.  Normally I would have thought that it was impossible, because typically Linux servers are setup so that the passwords are stored using a one-way encryption.  You can't decrypt them back to their original text, so the plain text version isn't displayed anywhere.  But this isn't the case on Lunarpages.  For example, go to the FTP Manager icon in your Control Panel, then to FTP Accounts, and hold the mouse cursor over the links to the raw FTP logs at the bottom of the page.  You'll see your plain text password included in the URL.  Of course, I have to be logged in to see this, but my point is that the password is definitely being stored on their system in a way that it can be displayed as plain text.  I could be completely wrong, but it's just something I noticed.

Any other ideas?

Thanks,
Russell

I'm reading this time and time again in the forums. It has not happened to me so I don't know what the security issue is. The only thing I can say is I use Lastpass.com to generate my passwords and they are so extravagant that it could never be hacked. The program also submits the password for me so a key logger would never work.

So in short, I also use extreme security and have never had a problem.

However... it is a bit disconcerning reading about this same issue with so many people. It makes me extremely cautious when dealing with my account and when and how I log in.

My private thoughts on the matter are that it is not a key logger because nobody had any other issues with their bank accounts being compromised. A successful key logger would surely log that, and similar, information as well.