This definately sounds as if you couldn't have prevented the compromise while being hosted with your current provider. It may be time to grab your sites and move them to a different host or perhaps gather them all and head on to a VPS or dedicated server of your own. Costs are slightly higher, but this way you can be assured that you are the responsible one for the security and integrity of your website on your private access platform.
Check the forums offers section for lots of companies to choose from.
(Good time to make sure you have up to date website backups too.)
- Donovan K Want to monitor and manage your customers Windows systems by Client software, web portal, or mobile phone?
Automated scripts, patching, and remote access too? Ask me how!
This is quite common with shared hosting for many reasons. We migrate sites off from other hosts all the time and we're able to access 1,000s of sites over 50% of the time. We report the security risk to the hosting companies and rarely hear back. It's amazing really.
If you're needing help, please let me know. We cannot provide the forensics of the breach since it's not on our boxes but we can protect to not let it happen again.
Chris Drake - Founder and CEO | FIREHOST INC. SECURE CLOUD HOSTING Dallas | Phoenix | London | Amsterdam
Depending on what was injected into your index pages, it could be a virus on a PC with FTP access to those sites.
The virus works in many ways.
First, it knows where commonly used FTP programs (FileZilla, etc) store the username and passwords used to automatically login to a website. The virus seeks out those files, steals the FTP credentials and sends them to a server that then carries out the infection by using valid FTP login credentials.
Second, it acts as a keyboard logger for those times when people don't want to store their FTP login credentials for fear of a virus that might steal them.
Third, the virus sniffs the FTP traffic as it leaves the PC. Since FTP transmits all data, including FTP login credentials, in plain text, it's easy to steal the FTP login credentials there.
Fourth, the virus injects it's malscript into the FTP data stream as it leaves the PC on it's way to the destination website. This method won't leave any clues in the FTP log files like the previous methods will.
The fifth way we've seen is that the virus waits for the user to upload a file to the website. It piggybacks the FTP session and sends up a different webpage at the same time the user does. This will not leave a clue in the log file either.
Yes, it is still possible even though not all the websites accessible via FTP from that PC were infected - yet. The virus will sometimes only infect some of the websites it finds the FTP login credentials for. It will wait some period of time before infecting the others.
Do yourself a favor and run a virus scan on all PCs that have FTP access to your websites. We've worked on cases where someone had FTP access a year ago, and they contracted a virus on their PC and that turned out to be the cause of the infection.
If your current anti-virus software shows nothing, then install something new as often times, the virus "learns" how to evade detection of the current anti-virus software. Many have had good success with AVG, Avast, Avira or Malwarebytes. If you're already using one of these, and finds nothing, then install one of the other ones.
After eradicating the virus change all FTP passwords. Then you can safely upload clean files to your site.
Also, check the images folder to see if there's any .php files in there. If there is, check them. We've been seeing that after they infect a website, they'll upload remote shell access files in the images folder so they can repeat their infection even after you've removed their virus.
These might be some steps to follow before you change hosting providers.
Of course, I'm a security guy so that's what I would do. I'm sure the other suggestions here are very valid as well, but if you move your site, and it hacked again, you might end up coming back to this suggestion anyway.
This is just my opinion and my experience. As always YMMV.
Switching hosts will not fix the problem. For those of you who are "immune" from this ever happening are naive. There are two types of system administrators; those who have been hacked and those who will be hacked. Have a plan "B" for these situations in the future. If you can afford to be down for a few hours, just be sure to have your own backups in the worst case scenario. If you can't afford to be down for a few hours, spend the money and get redundancy all the way around. Good luck with it!