My server/ftp appears to have been compromised sometime back around May 12 of this year. It did not come to my attention until recently. I have been noticing more and more strange search queries coming up in my server logs as well as a large number of 404 errors for pages with very suspicious names in the titles.

Then earlier this week I did a search for "Editra" which is my other site that is also sharing the same hosting as this site. The results where what tripped this deeper search into my site. Just a short time ago doing the above search would turn up roughly 20,000+ related results on google but this week it only returned about 900. Which lead me to believe some bad content had creeped into my site to cause some of this de-indexing.

Looking many of the deeply nested folders and other ones that I don't edit files in often, I found them littered with hundreds and hundreds of php files that had 6 digit numbers for their names. The files contents are rather cryptic php code that appear to gather information about the machine browsing it and then encrypt it. There were two address found in the file as encrypted strings that when decoded where (www3 rssnews ws / and www3 xmldata info) trying to access these sites has turned up nothing, but this definitely appears to be the work of spammers.

For files to have been placed so heavily throughout the site all on the same day must have been the work of some bot that got ftp access to my site by some means for which I am now investigating as I remove many old unused access points and set tighter security rules for the directories. All and all this is a huge pain and waste of my time. Will post more as I find out the root of this invasion.