It’s taken some time, but as I’m getting a few hits on my website from people searching for information on the malware that was inserted onto my website, I thought I’d make what we’ve found out so far public.
So, how did the hackers get in? It seems that the security breach was due to Parrallels Plesk Control Panel which the web server my site is hosted on uses as it’s web based interface. I finally tracked down this information from this excellent website, and it’s an interesting read:
It seems that the Plesk vulnerability was compounded by the fact that the password list in plesk is stored in plain text!!!!!! This meant that the hackers potentially had access to all the plesk passwords on the server (including ftp etc..) So, unless all passwords on the server (which may well host multiple sites!) were reset, the hacker could get back in and read all the passwords again! One interesting addition, is that we discovered extra scripts in the cgi-bin directory of websites on the server which seem to be similar to other distributed denial of service attack type scripts.
Anyway, now Plesk is patched and upgraded and all the passwords on the server have been reset, normal service should resume!