bwnbwn - 9:40 pm on Jul 4, 2012 (gmt 0)
I have a client that called me he said his website was redirecting to another website. It was discovered plesk was the hole. Plesk was patched but the server was still infected. It took some time but I found a sweet server scanner for finding what files the malware is located on the server and removing it.
It has taken 5 or so hours to scan the server and this software has discovered 40+ files with different types of trojans malware loaded. Looks like some are used for spamming out emails such as UPS package notice, account problems notice in html formats, JS redirects and others. There are a 100 or so sites on the server and looks like most of them have a redirect JS installed so the hacker must have gotten administrator access. I have advised the client as soon as I complete the scan to change all passwords on everything.
I have contacted the host and requested a new server this one even though it looks like I might get them all is so infected it is just to risky to keep it. When I remove the crap it will probably break parts of the server anyway. He has a backups of all the sites at his office so I won't use a thing off the server and will set up IIS by hand, upload the sites and move on.
Looks like a long long 4th of July day for me. Even if I break the sites it is better they are broken than infect my visitors with this stuff.