In my limited experience of webhosts other than my main one (I personally use HeartInterent in the UK and have not had any problems with them) I have found that hosts who put too much security on shared hosting are shooting themselves in the foot because users change all their file permissions to 777 just to get their site working properly without knowing the consequences of doing so.
The good hosts are the ones that find a good balance between security and allowing their users a little freedom to enable their chosen CMS/scripts to function without too much hassle.

It’s definitely my experience that certain hosting providers are more prone to attacks than others. I’ve recently seen a lot of trouble at Network Solutions. Prior to that, I have seen a lot of issues with shared hosting at IX Web Hosting. My favorite hosting provider is currently BlueHost. They have top-notch support staff.

After cleaning files:

double and triple check file permissions. Should be 755 and 644 (for folders and files respectively).
If you can avoid using the default database table prefix, change that (in wordpresss, it’s wp_)
If there’s a default username, don’t use it (in wordpress, the first user is named admin)
Change all passwords. No dictionary words, at least one upper and one lower case letter. At least one number.

Just a few other post-attack chores.

I discovered that it was a server wide breach, as all the other PHP/HTML based sites on the same shared host server were also infected with these links. Unfortunately I have little control over the shared host (apart from ftp/cpanel access to my client’s site) and, due to various ridiculous complications that I won’t go into, the web hosts won’t give me any support.

As a result I’m in the process of moving away from this particular host, which was the plan all along anyway. Hopefully this will resolve the issue, although I have a fair amount of file cleaning to do – I’ve already removed a nasty SSH shell access script by using virus removal in cPanel.

So, if anyone else is reading this with the same problem on shared hosting, make sure you check other websites on the same IP (using a reverse DNS lookup) and find out if the whole server has been affected. If so, contact your web hosts for support immediately.
Steve

I’m emailing you privately and we can talk and perhaps I can help you, at least as far as finding the malware and getting rid of it.

I have a Joomla based client that this is happening to, with around 600 links being placed at the bottom of any file that is index.html or index.php. This keeps happening most evenings and is breaking the site each time.

I followed these links through (by looking at code, not by clicking on them) and ended up at ZML.com. After researching ZML.com, they seem like the kind of company that know full well what’s going on and won’t be stopping unless someone takes action.

Whatever I do, I can’t seem to stop these links from being added. Do you have any advice on how to stop this? How are they getting in? I’ve tried the obvious things and changed the host ftp password, but they got back in after a few days. The only thing I can think of is that there is some malicious code somewhere on the site that is being triggered by a user action.

Any help would be much appreciated.
Thanks,
Steve.