Sounds to me like Gumblar Virus see this link<br><a href="http://blog.scansafe.com/journal/2009/11/18/where-to-look-for-gumblar-backdoors.html">http://blog.scansafe.com/journal/2009/11/18/where-to-look-for-gumblar-backdoors.html</a><br>
<br clear="all">David A. Shaver <br>D. A. Shaver Web Design<br>Web Page Design for Small Business<br><a href="http://www.dashaver.com">www.dashaver.com</a> <br>PO Box 594 Galesburg,IL 61402-0594 <br>
309.343.0027 <br><br>
<br><br><div class="gmail_quote">On Wed, Jan 27, 2010 at 8:22 AM, Ken Rickard <span dir="ltr"><<a href="mailto:agentrickard@gmail.com">agentrickard@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I had something similar happen on WordPress. It was a simple FTP<br>
(non-secure) password sniffer watching network traffic to the host.<br>
My site would get hacked within twenty minutes of making a change via<br>
FTP.<br>
<br>
I finally forced the hosting provider to support SFTP for my account.<br>
<br>
On Wed, Jan 27, 2010 at 7:14 AM, Adam Gregory <<a href="mailto:arcaneadam@gmail.com">arcaneadam@gmail.com</a>> wrote:<br>
> This is more a server security issue rather than a Drupal one. I've seen<br>
> this happen with Drupal, Joomla, Wordpress and custom PHP code. It really<br>
> most likely means that access to the server/host was compromised at some<br>
> point.<br>
><br>
> There are lost of things that can be done to prevent this like chmod/own-ing<br>
> your file system correctly(As Gerhard touched on). This is also a good<br>
> reason to use SFTP rather then FTP as passwords in SFTP are sent encrypted<br>
> and FTP are not leaving them open to a man-in-the-middle attack.<br>
><br>
> Ultimately though it's a good example of how Drupal can only go so far in<br>
> keeping itself secure but there are still plenty of other ways out side<br>
> Drupals area of responsibility that your site can be compromised.<br>
> -----<br>
> Adam A. Gregory<br>
> Drupal Developer & Consultant<br>
> Web: AdamAGregory.com<br>
> Twitter: <a href="http://twitter.com/adamgregory" target="_blank">twitter.com/adamgregory</a><br>
> Phone: 910.808.1717<br>
> Cell: 706.761.7375<br>
><br>
><br>
> On Wed, Jan 27, 2010 at 6:53 AM, Fred Jones <<a href="mailto:fredthejonester@gmail.com">fredthejonester@gmail.com</a>><br>
> wrote:<br>
>><br>
>> > I also wonder whether Drupal could be adjusted so as to automatically<br>
>> > set<br>
>> > file bootstrap.inc, and perhaps other critical ones, as read-only. So<br>
>> > far it<br>
>> > is done only with settings.php file.<br>
>><br>
>> Well if they did it via FTP, that wouldn't help...<br>
>><br>
>> F<br>
><br>
><br>
<font color="#888888"><br>
<br>
<br>
--<br>
Ken Rickard<br>
<a href="mailto:agentrickard@gmail.com">agentrickard@gmail.com</a><br>
<a href="http://ken.therickards.com" target="_blank">http://ken.therickards.com</a><br>
</font></blockquote></div><br>