I've never experienced experienced this before, but several accounts (about 3 or 4) contained Paypal spoofing files. Then the other day, I found a spam script in a few accounts (it was the exact same script).
I'm thinking something has been compromised? Because these files don't just appear there. Any suggestions? Thanks
Its happens someone might be simply brute forcing the password being fairly easy to guess. You should scan your machine for viruses and spyware to ensure nothing is logging your keystrokes for password.
Support Facility | 24/7 web hosting technical support services Technical support | Server management | Data migration
What ties all the accounts together? Any one thing?
Are all of the accounts owned by one individual? Are they all under one reseller?
My guess is that the owner(s) of the accounts has had their personal computer or a computer that they use to access their account(s) compromised. They may have their FTP login information stored in their FTP's site manager and they may have a trojan or piece of malware that is retrieving this information and sending it to hackers.
If all of these compromised accounts are owned by one individual then that would seem to support this theory. If all of the compromised accounts are part of a reseller's account, then perhaps the reseller is the one that is compromised. The trojan or malware could be reading e-mails on the infected individuals computer to retrieve the username and passwords.
If the compromised accounts are owned by completely different users, then this could still very well be the root cause of the compromise. Instead of one computer being compromised with a trojan or malware, many computers could be infected with a similar trojan or malware leading to their accounts being compromised.
Ooh ok, I checked the compromised accounts, and the last logged in IP was something like: 126.96.36.199 (it traces to Egypt). All the accounts are owned by completely different, innocent people. It's very weird.
IMO it's client's computers problem as SPaReK said. I have 2 dedicated servers, 99% of websites hosted on those are websites made by me, so I take care of FTP passwords and other sensitive information, in all those years in only 3 cases I had a problem similar to yours.
1. I gave my client the password of ftp, his client was infected by spyware/worm ... it took about 2 weeks and his website files ware altered by a whorm by FTP (all index.php files had encrypted base64 code added, new js files added too)
2. An old phpBB forum been hacked, I think it was version 2.18, after searching the logs I was amazed how easy is to find the Database password and the Database user.. incredible you only had to add 2 parameters to showtopic.php link
3. another client, gave him the FTP password now 2 weeks ago, and now to days ago is Gallery v.2 website was completly blank, after searching the file I seen lots of php files been edited by FTP and lots of js files also added by FTP . Told him to scan his computer and ofcorse he found few trojans, few worms .. and other viruses.
I suggest you to search on the FTP logs, log for the date the files ware modified.
Change the cPanel password and ask your client to use programs like Keepass to store their passwords.