have a virtual account with several domains on it, the root domain has a index.php, i noticed someone created a ton of spam pages on my root domain and modified the .htacess none of the other domains on the account were hacked
the host tech support said my ftp was compromised and accessed from some ip in russia and that the hackers stole my ftp password with spyware.
i read on other places however that this is not spyware but because of the php index file, now i have good anti virus and spyware tool and never noticed a problem but am worried because if they did have spyware they also have my other banking and email passwords
Likely you'd be best to go through those accounts and change the passwords to them. If your scripts are insecure/out of date, they can possibly be hacked, so I'd also make sure to update your scripts to the latest versions as well.
ElicitServers - Canadian hosting dedicated customer satisfaction! Shared/Reseller/VPS/Dedi/Colo
100% redundant, 100% owned/maintained, GigE connectivity
Offsite backups, 24/7 support (1-877-533-8993), 30-day money back | cPanel hosting
Try this software to see if your computer harbors malware / viruses, which are often installed to steal passwords, address book lists and the like.
Likewise, as mentioned before, make sure to check whether your hosting account has any additional FTP accounts set up and delete those, as well as change your current FTP password. If you are running an application like Wordpress or Joomla, make sure to change the passwords on those as well.
It's unlikely your web host was compromised. Though since you've been hacked once, it may be worthwhile to look around for another web host who provides "free daily malware scans" as part of their service. Had your host been monitoring your account for malware you would have been notified the day of the compromise (a necessity if you are running a business online).
If you're hosting provider determined that your site was compromised by viewing the FTP logs, and the username in the logs was the same as yours, then yes, it may have been a virus on your PC that stole your FTP credentials.
You have some good recommendations so far:
1. Use SFTP. FTP transfers all data, including username and password in plain text. If you get a virus on your PC, the virus can install a sniffer which can view all FTP traffic. SFTP is encrypted, making it much more difficult to sniff.
2. Use Malwarebytes along with another good anti-virus program, such as Avast or AVG.
3. Don't use a free FTP program. These frequently store their saved credentials in a plain text file. The virus can seek and steal this information.
What you don't mention is if your website is using some CMS or ecommerce software.
All software has a vulnerability at one or another. Keep your software and your all your plugins updated. We've seen vulnerabilities being exploited in software used to manage the FAQ's on websites, phpmyadmin, Joomla, Wordpress, Open Cart, oscommerce, Zen Cart, Magento, Virutemart, and almost all other software.
You have to keep them all updated. Also keep the plugins updated.
Implement a good strong combination of .htaccess files and php.ini files. These will go a long, long way to protect your websites.
One last comment, while the economy of scale works well for hosting many websites on one account, it also makes any one of them vulnerable. Hackers upload shell scripts to websites which is basically like a File Manager without a login.
This gives them total access to every file in your account. You have no idea which site might have backdoor shell script in it - until all the files are examined. Desktop anti-virus programs are ill-equipped to find these backdoors. Our test show that they can only find about 18-20% of backdoors that hackers use.
Please post back with more questions or any additional information.