<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<STYLE type=text/css>P {
MARGIN: 0px
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.18854"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial>Meanwhile, I found the culprit:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial>On monday, I've had a malware on my PC. Suddenly, while
visiting a website (I do not remember him anymore), my java started working and
I had a malware on my PC. After 30 minutes, I managed to get it deleted
from my PC, but the harm was done. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial>I was using filezilla and there, the passwords are stored in a
simple text-file. This textfile has been sent to somewhere in Russia and then
the sites were hacked with that information.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial>30 minutes are already enough to do this many harm. Shame on
me, because my antivirus was complaining and I clicked Ignore instead of
Heal....</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial>Thanks everybody</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=312180800-31122009><FONT color=#0000ff
size=2 face=Arial>Steven</FONT></SPAN></DIV><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> support-bounces@drupal.org
[mailto:support-bounces@drupal.org] <B>On Behalf Of
</B>patrick.bowe@comcast.net<BR><B>Sent:</B> woensdag 30 december 2009
16:15<BR><B>To:</B> support@drupal.org<BR><B>Subject:</B> Re: [support] Hacked
or not<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV style="FONT-FAMILY: Arial; COLOR: #000000; FONT-SIZE: 12pt">I googled some
of the code and found
this:<BR><BR>http://blog.bigg.net/2009/12/gnu-gpl-trywindow-onload-functionvar-trojan-fix/<BR><BR><BR>-----
Original Message -----<BR>From: steven@vermoere.net<BR>To:
support@drupal.org<BR>Sent: Wednesday, December 30, 2009 9:58:50 AM GMT -05:00
US/Canada Eastern<BR>Subject: Re: [support] Hacked or not<BR><BR><BR>I'll check
it ASAP, but I do not see anything special at this moment. I'll<BR>keep you
informed.<BR><BR>Thanks<BR><BR>>> I checked the other websites that I have
and they all have the same<BR>>> problem.<BR>>><BR>>> They are
however all at other hosting companies. All usernames and<BR>>> passwords
are different and are composed of random characters (capitals,<BR>>>
numbers, non-capitals).<BR>>> All Drupalversions are also different (1
most recent, other one 5,<BR>>> another<BR>>> one 6)<BR>>> I
find it difficult to believe that all sites are hacked at the same<BR>>>
time,<BR>>> with all different hosters at different
locations.<BR>><BR>> Sounds like your PC has been comprised and someone
has access to all<BR>> FTP accounts stored there. I would run a very thorough
check on your<BR>> local machines for viruses and/or other unwanted
nasties.<BR>><BR>> F<BR>> --<BR>> [ Drupal support list |
http://lists.drupal.org/ ]<BR>><BR><BR><BR>-- <BR>[ Drupal support list |
http://lists.drupal.org/ ]<BR></DIV></BODY></HTML>