The Symptoms And The Cure
We noticed strange java code patterns inside some of our website files (usually in index.php). This injection can be easily noticed if you view source of your pages and watch the very beginning and the very end. If you notice a suspicious looking piece of JS code, your site might be infected.
The current attack has a code that starts with this:
In most cases, these patterns were calling php scripts from some webserver.
We thought that it was some virus that we uploaded to server from our workstations while updating files, but then we discovered ftp uploads from unknown places. We were using pure-ftpd.
Since pure-ftpd was logging its activities in syslog, this is how we found suspicious ftp connections and extracted originating ip addresses:
If your ftp daemon has different logging form, you will have to make some adjustments.
With this list you can do whatever you want (ban listed ip addresses, inform their owners…).
After this we replaced ftp server.