Infection of a website via FTP, involves the injection of site code into an <iframe> through which the visitor of the webiste is redirected to another page called the 'attack site '. The website intends to install a malicious program on the visitors computer to access, gathering information and displaying unsolicited content. Site that have been hacked using this kind of attack can be observed when loading it in the web browser, where usually the browser displays a warning about content being potentially harmful or a warning displayed by the antivirus installed on computer when the program on the "attack site" is trying to access the computer.
Infection mechanism is as follows: From the workstation from which you access the site via FTP passwords are stolen by a trojan virus. The stolen data is used to log in via FTP, download files and injecting the malicious code, and then are uploaded back into the site. Infected files are usually the index.html or index.php file(s), but these changes can be made in the .js scripts where the target URL is usually encoded, which later will be decoded at runtime.
The following steps are to correct the consequences of an attack via FTP to the site and prevent their reinfestation. To prevent reinfestation it is important to take the steps in this order:
1. Scan with an antivirus and disinfect the workstation(s) on which the infested website was accessed via FTP. For this use at least one good antivirus and antispyware product. If this is not done properly and completely, the site will be infested again in a few hours of cleaning malicious code.
2. Change passwords for the FTP accounts used to access the site. This can be done from the website control panel (cPanel, Plesk a.s.o). Not changing the passwords can lead to recurrence of the problem.
3. Check carefully and remove foreign code from the infected site. Check all files, index files are priority. Most often you will find the presence of an <iframe> at the beginning or end of the infected file(s).
Following these steps carefully ensures the solving of the problem. Increasing the security of the computers that are used to access your site via FTP will help avoiding such problems.