Firstly seiler, I wouldn't consider myself a 'jerk', hijacking a thread just to point out your opion of me isn't helping.
You can imagine that when reading a response to this thread in the hope that somebody will have an idea on what may be causing this, and it's a question that was answered in a previous thread it can become frustrating.
I will make it clear that I appreciate anybody's ideas and recommendations and I do not think I am better or know more than anybody, most of my posts in this thread have ended in questions.
The response I had from DH was not literally as I stated.. I was merely conveying the tone of the response. The fact that it may be only my hosting that has been compromised is indeed a fact that has to be considered. If this is the case then I would consider it a wise decision to at least look at my account to see if this poses a risk to the rest of the server.
I hope this clears up any misgivings and makes my purpose here clear.
Update: Reply from DH
It's possible there was something hiding in /tmp, so I removed
everything there. I also made sure you have no crontabs set up.
There should be nothing on your account now, so this should stop
happening. If it does, then we'll need to delete the username, and start
Well at least this person took it seriously to take some sort of action. I won't know if this has helped until I get home from work and can check the server, but I will keep you informed.
The encrypted code in the index.php creates a file containing the 'feebs' worm on the visitors computer. I, having visited the site have been infected and I'm having great difficulting in removing it.
It seems to be using explorer.EXE which is running from my \Windows\ dir, also scvhost.exe has opened up numerous ports as 'system' with a PID of 0 ... therefore the process cannot be killed.
Using netstat -an I can see about 100 LISTENING conns to .AU servers on port 53.
My router should prevent an data being transferred although I have put my firewall (Kas) on lockdown.
I'll update this evening when I have looked at the server.