Meanwhile, I found the culprit:
On monday, I've had a malware on my PC. Suddenly, while visiting a website (I do not remember him anymore), my java started working and I had a malware on my PC. After 30 minutes, I managed to get it deleted from my PC, but the harm was done.
I was using filezilla and there, the passwords are stored in a simple text-file. This textfile has been sent to somewhere in Russia and then the sites were hacked with that information.
30 minutes are already enough to do this many harm. Shame on me, because my antivirus was complaining and I clicked Ignore instead of Heal....
Thanks everybody
Steven
_____
From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of patrick.bowe@comcast.net Sent: woensdag 30 december 2009 16:15 To: support@drupal.org Subject: Re: [support] Hacked or not
I googled some of the code and found this:
http://blog.bigg.net/2009/12/gnu-gpl-trywindow-onload-functionvar-trojan-fix /
----- Original Message ----- From: steven@vermoere.net To: support@drupal.org Sent: Wednesday, December 30, 2009 9:58:50 AM GMT -05:00 US/Canada Eastern Subject: Re: [support] Hacked or not
I'll check it ASAP, but I do not see anything special at this moment. I'll keep you informed.
Thanks
I checked the other websites that I have and they all have the same problem.
They are however all at other hosting companies. All usernames and passwords are different and are composed of random characters (capitals, numbers, non-capitals). All Drupalversions are also different (1 most recent, other one 5, another one 6) I find it difficult to believe that all sites are hacked at the same time, with all different hosters at different locations.
Sounds like your PC has been comprised and someone has access to all FTP accounts stored there. I would run a very thorough check on your local machines for viruses and/or other unwanted nasties.
F
[ Drupal support list | http://lists.drupal.org/ ]