Instronics and Muracu, that's a lot of very helpful information. (My only criticism is that there's no real connection between it and my easily misinterpreted comment about a "back door!")
Some specific responses:
Quote:
Saying that you are certain that these modifications are not done by hand...
The lawyer in me says I should point this out: I didn't say that; I only said that they "look automated to me." I detest people who claim to be certain of things that are merely possible or probable, so I'm sensitive to imputations that I have done it myself (and I am mortified when I actually do it myself)!
Quote:
Out of interest... you say the modified code redirects you to some suspicious site? What site is that?
There has actually been a fourth attack since my OP... same domain, same technique, different site. The first one was http://margingradient.ru. The second was http://changedivstyle.ru; the full URL was http://changedivstyle.ru/vis/index.php.
I've set permissions on both .htaccess and index.php to 404, which I hope will stave off further attacks until I can resolve the root (pun intended) problem.
Quote:
He allows FTP access without encryption??????
Not merely allows it... practically requires it. I didn't even know SFTP was available until I stumbled across the fact on another blog while researching this problem. My reaction is about the same as yours, although I confess that I shrugged it off until we started having problems.
Quote:
In any case... you can not solve the issue without having root access to the host machine...
That's pretty much what I wanted to confirm. It sounds like the only thing I can do on my own initiative is demand SFTP access, and I can't even get it without the host's cooperation.
Quote:
One more thing... you mention that you are thinking about going for a dedicated box. Do you have the means of securing & administrating this properly?
No, we most certainly do not. That is what has deterred me from recommending it up to now.
If we do go to a dedicated server, we need to find another host who will provide one while retaining responsibility for system management. I recognize that that implies the host will retain a great degree of control... we can't expect them to be responsible for system management if we have authority to fool around with the HTTP server's configuration and such. That's not a problem for us... lack of security, and lack of ability to control things like php.ini, are problems.
Quote:
...check the time stamp on the script to see when it was modified if possible.
I did that, and found that the break-in was not logged. I infer (but cannot prove) that it was not accomplished through FTP.