I am assuming by your questions you just do not want to reupload your site, and call it a day.

First Question have you checked the file to see if it has been modified or not?

They could of taken multiple different routes to add that at the end of the webpage sent to the browser, which comes to my mind.

I am assuming the server in question is running IIS and not Apache.

(1) Edit the file in question (Easiest).
(2) Add a new Module or code behind to the site to insert it.(Easy Depending on version of .Net)
(3) Change IIS settings to include the code on all html/aspx/asp pages.

Start eliminating these as the places where they inserted the code. More then likely they either compromised your account or compromised the server.

Yes, the file has been modified recently not by myself. I can easily upload my version of the file and fix. Running on IIS and is a .net site.

Is there a way to tell if someone compromised the account or server?

I would look at the log files for the service which you use to upload the files with. Also look at the windows event logs around this time as well for errors, or anything else unusual that may be in there.

I would also recommend checking your own system for malware, spyware in case one got onto your system and got your login credentials that way.

Even if you don't find anything I would change your password a complex version that doe not contain dictionary words as an added precaution.

I would also reload the entire site from scratch from your local version in case they left anything else nasty behind.

I would also reload the entire site from scratch from your local version in case they left anything else nasty behind.

I'd also check all your local version files and the files in your backups as well. (You *DO* have backups, right?)

The FTP logs should have the IP used to upload and files. If it's not yours, then most likely that's your culprit. If at all possible, I would also add a firewall setting to restrict FTP access to your IP (or your range of IPs if you don't have a fixed IP address).

Also check the Users and Groups. It's quite possible that once in a new user and/or group was added to keep hold of the server. Simply changing the files and closing old holes does not guarantee it isn't still compromised.

Was it just on the index page?
I had this happen one time it was from an old script code that he was able to insert this without having access through ftp or remote. I went through all the old files and removed all files that were no longer used uploaded the whole site backup and haven't had a issue since. Just to be safe I changed all passwords ran a scan on my computer.

Is that Win Server 2003 or 2008? 2008 is much more robust.

I used have this problem on a hosted site which required FTP access for us to reach it. That was a pain because SEO spammers were modifying pages. But when we changed the FTP password the problem stopped. Beats me how they got the password but they did. But that is the risk of enabling FTP and I have always been amused when noticing our logs and how many would-be amatuer hackers are using random password crunching software. The 3-strikes-and-you're-out firewall rule works wonders.

BTW, what you're describing sounds like a standard blackhat SEO hack, where they hack the account server just to get links.

Is this your own server or is this a shared hosted service? If shared, RUN! Might be just your account, might be the whole server.

My experience with Windows boxes was never great because we used to run a mail service on the box so obviously even the file attachments were a danger.

What kind of site to you run?

Is this written by yourself or does it contain open source or anything a hacker might've found with a hole in it?

Do you allow uploads or anything that might be vulnerable?

Last but not least, if you think the managed to put a root kit on the box, or password sniffers, your best defense is to reload it from scratch.

Also, consider the hacked machine COULD be your desktop or someone else's desktop that has direct access to that server. Once had an ecommerce site with CC's being stolen and the server was hardened all to hell, did it myself, totally tight. The only IPs we could see accessing the box were ours (we were a hosting company) and the customers. Turned out the FBI found the hacker tricked someone into clicking an email with a trojan and gained access from inside their company firewall which had whitelisted access to our server. Quite brilliant but I took a lot of heat proving WE were not the source of the CC theft.

Was it just on the index page?

-Yes, default.aspx

Is that Win Server 2003 or 2008?

-Not sure, it's using Parallels Plesk 8.6 Control Panel and within this all could find is ASP.NET Framework ver 2.0

Is this your own server or is this a shared hosted service?

-Shared

What kind of site do you run?

-It's actually a static site that uses .net templates with some jQuery for pulling in certain info from other sites.

Is this written by yourself or does it contain open source or anything a hacker might've found with a hole in it?

-Is not open source

Do you allow uploads or anything that might be vulnerable?

-No

Just wondering if anyone has a html source watcher where I can be notified when the source code is changed to see logs quickly. I have combed through FTP and HTTP logs and not finding anything near the time the file was changed.

Mine was as well a static site so I would look really hard a the jquery file it is probably old and hackable or as I said there are old files on the server not being used that might be the culprit.

So your saying jQuery framework has code to open the site? Anyone have documentation on things to check for or ways to test for if have an open door?

lleemon I am not saying it was, but was the code modified to fit your application? Anything can be hacked if the code added to modify the jquery is weak. You said your using it to bring in content from other sites. All I am saying is this could be a weak point.

Google has an instructive video and complete instructions on how to check and how to clean and test hacked sites: [support.google.com...]

> html source watcher

I use urlwatcher from a linux box. Any change to the target file, including size and becoming unavailabe, is emailed to you. Set it up under cron.

Is this your own server or is this a shared hosted service?

-Shared

There's your answer.

Based on my experience it's probably a server wide problem and has nothing to do with your site.

The host will tell you that your FTP password was compromised and needs to be changed.

Yeah, right.

Most servers maintain FTP access logs and you can easily see the history of who accessed your server. Worth a look and an easy way to call the hosts bluff when they tell you that's how it happened.

Most real webmasters use SFTP these days, and VPNs, etc. so a compromised FTP password is highly unlikely and the typical meaningless platitudes given to hosting customers when they have no real answer or are afraid to tell you the whole server got hacked.

However, it doesn't matter how good your security practices are, the server is only as secure as it's weakest webmaster still using old FTP or leaving software with vulnerabilities online without updating.

The best you can do is move to a new server.

The second best is fix your site and monitor it for future changes.