Ok, here's the story - I run on FreeBSD and have been for ten years. About three weeks ago I found some garbled code above the header of some php files. It appeared to be a sql or php injection. I could never pin down exactly how they did it so I disabled anything that could be used as a file transfer protocol, locked down everything and changed all passwords - ftp included.
I created a new virtual host on my server and started a new website nine days ago. Since then I have changed the ftp password three times because I needed to give ftp access to a software vendor. After the software folks did their thing I changed the pw.
Yesterday, I got hacked on my NEW website (five day old password) and whoever put an iframe at the top of several files to a website that executes a Trojan of some sort.
So, I searched the website log files high and low and could not find a www event that coincided with the affected file change time – nothing. Remember, this is a new site so there is not much traffic.
Finally, I looked in the /var/log/ftp log files and there it was – they had first logged in on the old site – logged out and then logged in to the new virtual website, changed directories and uploaded files.
A hacker has my ftp logins and passwords! Now, these passwords are totally wild as I use a combination of letters, numbers, lower and upper case. The chances that somebody cracked both passwords are less than me winning the lotto five times in a row… I’m the only person in the world that knows these passwords – period (so I thought).
Yes, I have changed everything, done virus scans and even called the host.
So, I’m looking for theories – here’s mine:
Keystroke logger of some flavor on my pc’s
Hosting company hacked my password files? These are encrypted..
The hacker has since tried to login three times - I’m totally paranoid.