Questions about an infection
Posted on 2009-02-08
Seemingly out of the blue I have some questions regarding a trojan that keeps popping up on our servers. For quite some weeks now, we have to deal with Trojan Downloader JS IFrame.acm. Virtually all index.php and index.html files are infected with it.
And yes all these files extensively use iframes and stuff. But now I noticed that the time last edited, was in fact yesterday. If it is correct to assume that the timestamp I see in total commander (FTP) reflects the last edited time.
Do I change those attributes when I'm browsing files with total commander FTP?
Could virtually any file or harmfull code, change those files? And more important, that stamp reflects the exact time of infection. So my guess would be that someone was doing something either uploading or modifying or whatever.
See Im trying to discover the source of the problem, and one lead is to check when the files were last edited, more particular it could tell us who was doing what at that time on the server. Only 3 of us have FTP accesss to the server and use it extensively. However we didnt and dont modify all index files we stumble upon ofcourse ;)
We could very well be talking about a few hundred files here. I'm not sure how well things are handled on the server itself. I can access it via FTP but that is aobut it.
Thanks for any responses and if you need info please ask. I'm eager to learn and understand.