We have seen an increase in the number of sites compromised via legitimate FTP access. The way this typically happens is a worm or virus installs a keylogger or other username/password harvesting program onto your home or office computer. Once a hacker has your login information, they can alter your site files to deliver malware to visitors, or redirect your visitors to another infected site. This is usually done by adding a single line of <iframe> code to a page. Another common compromise method is through SQL injection. If your web application does not check, filter or otherwise sanitize any data sent to your database, an SQL injection is possible either through a web-based input form or via an altered URL string. The SQL injection is used to perform database queries that your application generally would not perform (such as updating text fields that are displayed on a web page to include malicious links). For a good general overview on SQL injection techniques and how to safeguard against them, please see this article: http://en.wikipedia.org/wiki/Sql_injection If a site visitor has notified you that they receive a warning from their antivirus software, or get Google's "Reported Attack Site!" warning from their browser, your site may have been exploited. What you should do to clean up the issue: 1) Perform a thorough virus scan of every computer you use to access your site and remove any malicious programs. There are a lot of free detection tools, here are links to a few: http://www.microsoft.com/security/malwareremove/default.mspx http://vil.nai.com/vil/stinger/ http://www.safer-networking.org/en/spybotsd/index.html2) Once you are certain that all of the computers you use to access your site are free from malicious software, delete all the files from your site. 3) Change all of your account passwords - including FTP, database and email account passwords - and the passwords of any users that have FTP access in Control Panel. 4) re-upload your site files (if your site was flagged by Google as an "attack site," see this post for instructions on getting it removed from their database). If you clear out files and change passwords without being certain that your computer(s) are free from malicious software, it is likely that your login information (and your site) will be compromised again.
