My company hosts a few hundred sites for customers and we’ve recently had this same problem with two different customers. In both cases, I am fairly sure a virus on the client computers got the customer’s FTP credentials and used them to upload malicious code (hidden iframe based browser exploit) to the site’s main index.html file.

In both cases, the customer had tried to remove the code one or more times before contacting me. I changed the FTP password and started seeing a lot of failed logins from different IP addresses. Since changing the password and cleaning the files, the malicious code has not come back again.

In one of the cases, I know for sure the customer had a virus and had to have their PC reformatted. Otherwise, I would have suspected a server problem from the beginning. In the other case, my customer had used a 3rd party to work on their web site, so it’s hard to know if the 3rd party (or one of their contractors) could have been infected (though with the high number of FTP login attempts at all hours, at this point I have to assume something weird was going on).

I’m not saying you have (or somebody you gave the FTP login to has) a virus. But, this all just happened a couple of weeks ago. I’m just getting the information out there with the hope that somebody can benefit.

PJ