did you inform your hosting provider about the issue? it could very well be that the whole server is compromised, not just your client's site... and since it is shared hosting, it can also very well be that another hosted website is the culprit, not yours.
it sounds to me like the attacker has managed to install scripts on the server that keep executing and adding stuff to index.cfm - i remember this kind of attack happening a while ago... iirc the script also altered the logs, so you could not see it executing... or something like that... Azadi On 16/11/2010 11:45 , Mike Little wrote: > hi guys, > > for the last few weeks one of my clients websites is being hacked. currently > hosted on a shared server at hostek. > > the index.cfm is in the root and appears to be the only templated affected. > basically they are appending a long list of url's in a hidden div to the > existing code. > > we immediately changed ftp logins and also removed any cffile functions from > the site. unfortunately within a couple of days it happened again. > > has anyone experienced this happening recenty or may know of where i should > checking for vulnerabilities? > > cheers > mike > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
