OK, vector identified. The password for the site was cracked, then the site was downloaded, modified and then uploaded again. This happened concurrently from two sources. Sat Jul 12 18:37:19 2008 1 85.114.85.233 3711 /index_bak/index_js.shtml b _ o r xxxxx ftp 0 * c Sat Jul 12 18:37:23 2008 2 85.114.85.233 3761 /index_bak/index_js.shtml b _ i r xxxxx ftp 0 * c Sat Jul 12 18:37:27 2008 1 85.114.85.233 2693 /index_bak/try3.shtml b _ o r xxxxx ftp 0 * c Sat Jul 12 18:37:31 2008 2 85.114.85.233 2743 /index_bak/try3.shtml b _ i r xxxxx ftp 0 * c S Intermingled with this were records indicating the same behaviour from 116.71.41.118 So whilst earlier attacks have been via SQL injection, this is another vector to look for/be aware of. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz "A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."