We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Questions about an infection

PeterdeB asked
Medium Priority
Last Modified: 2013-12-04
Hi Folks,

Seemingly out of the blue I have some questions regarding a trojan that keeps popping up on our servers. For quite some weeks now, we have to deal with Trojan Downloader JS IFrame.acm. Virtually all index.php and index.html files are infected with it.

And yes all these files extensively use iframes and stuff. But now I noticed that the time last edited, was in fact yesterday. If it is correct to assume that the timestamp I see in total commander (FTP) reflects the last edited time.

Do I change those attributes when I'm browsing files with total commander FTP?
Could virtually any file or harmfull code, change those files? And more important, that stamp reflects the exact time of infection. So my guess would be that someone was doing something either uploading or modifying or whatever.

See Im trying to discover the source of the problem, and one lead is to check when the files were last edited, more particular it could tell us who was doing what at that time on the server. Only 3 of us have FTP accesss to the server and use it extensively. However we didnt and dont modify all index files we stumble upon ofcourse ;)

If you need more info please ask. Currently my employer is all too busy with other things, but I'm more than concerned about this matter. My collegue is granted the task of handling all this and currently he seems to rename the php files to txt. Download them, cuts out the harmfull piece of javascript and uploads them again.

We could very well be talking about a few hundred files here. I'm not sure how well things are handled on the server itself. I can access it via FTP but that is aobut it.

Thanks for any responses and if you need info please ask. I'm eager to learn and understand.

Regards Peter

Watch Question


Could some nasty person be coming in through FTP?
Do you have logging on your FTP server?  
Are you sure your FTP server is secured?

Or, maybe there is some other infection/virus/malware already running on the server, that gives someone remote access/control?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Yes it is an access problem, thanks.

Regards Peter
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.