Originally Posted by PornAddict

When I contacted them, I told them that I think my server has been hacked and if they can look around to see what happened. I told them about how the javascript was being installed on certain files.

The tech did a search and said that there was no actual hack but to check my scripts. That was it... I don't know which scripts or anything. All I do know is that I currently only have 4 scripts running on that server (ccbill, paycom, pennywize and nats).

It seems like they keep attacking the same 3 sites. What's weird is that the sites that are targeted are ones that were set up via paycom. I then contacted paycom because I remembered seeing a post on here about paycom's info being compromised and their scripts left open. It seemed like the case was cracked. I had paycom check around and nothing in their end (on my server) seemed to be modified, but they uploaded a fresh script regardless just to see. It has then happened again.

So, that's kinda where I am now. Still searching for an answer and a solution on how to prevent this from happening.

I don't know what the script does, but I know my mcafee picks it up and deletes it immediately... however, I don't know what it's doing to those without virus protection.

The way I normally catch it is when I ftp, I see the dates on which certain files were modified. There's no reason to ever update my index file (since it's just a standard warning / entrance page) so when I see newer dates, I know something is up.

- PornAddict