Questions about an infection

Hi Folks,

Seemingly out of the blue I have some questions regarding a trojan that keeps popping up on our servers. For quite some weeks now, we have to deal with Trojan Downloader JS IFrame.acm. Virtually all index.php and index.html files are infected with it.

And yes all these files extensively use iframes and stuff. But now I noticed that the time last edited, was in fact yesterday. If it is correct to assume that the timestamp I see in total commander (FTP) reflects the last edited time.

Do I change those attributes when I'm browsing files with total commander FTP?
Could virtually any file or harmfull code, change those files? And more important, that stamp reflects the exact time of infection. So my guess would be that someone was doing something either uploading or modifying or whatever.

See Im trying to discover the source of the problem, and one lead is to check when the files were last edited, more particular it could tell us who was doing what at that time on the server. Only 3 of us have FTP accesss to the server and use it extensively. However we didnt and dont modify all index files we stumble upon ofcourse ;)

If you need more info please ask. Currently my employer is all too busy with other things, but I'm more than concerned about this matter. My collegue is granted the task of handling all this and currently he seems to rename the php files to txt. Download them, cuts out the harmfull piece of javascript and uploads them again.

We could very well be talking about a few hundred files here. I'm not sure how well things are handled on the server itself. I can access it via FTP but that is aobut it.

Thanks for any responses and if you need info please ask. I'm eager to learn and understand.

Regards Peter


PeterdeBAsked:
Who is Participating?
 
KaffiendConnect With a Mentor Commented:

Could some nasty person be coming in through FTP?
Do you have logging on your FTP server?  
Are you sure your FTP server is secured?



Or, maybe there is some other infection/virus/malware already running on the server, that gives someone remote access/control?
0
 
PeterdeBAuthor Commented:
Yes it is an access problem, thanks.

Regards Peter
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.