Since first releasing detection (2 days ago) for Troj/JSRedir-AK SophosLabs have seen thousands of websites affected by it. Since blogging yesterday we have seen a few minor variants and have had to update the our detection.
Sophos has been contacting owners of affected websites and one of the main methods for infection is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites affected. Affected websites should:
- Delete or restore from backup infected files.
- Patch all software on the box.
- Change all password especially FTP ones (and restrict FTP access to a minimum).
- Review logs and policies to prevent another breach.
Merry Christmas and have a Happy New Year.