I then went to another site, hosted at the same company but on a different server. Same problem. Compared the “last modified” dates again, and once more, the .js files on the server were updated Feb 28. Mine were much older.
Did the same for a final third site, hosted at a different company. You guessed it: same thing.
Even weirder was that these scripts were both in the main /public_html directory and subdirectories a few levels below that. However, scripts in my Wordpress directory (I have a couple of installations) on one of the sites were unmodified. This is surprising, to say the least: WP is one of the biggest attack targets on the web, if not the biggest.
Anyway, I immediately ran a virus scan on my system, and meanwhile wrote my host for the first two sites for any ideas on how this could’ve happened, describing the issue. As usual they had a swift answer for me–I do love these hosts!
The above-named file is a PHP directory program. Not sure exactly what the rest of stuff after the .js filename means.
So, okay, clearly it was my fault and I’m sickened by the thing.
What I don’t understand is how they simultaneously cracked my passwords. I don’t keep these passwords in the same place. They’re all non-standard words / characters. And they’re all different domains. How in heaven’s name did this happen? How did someone get access to my system, find the secretly named files (and in at least one case the file wasn’t even the whole password, just a word reminding me of the password phrase), figure out which one went with which site, and then do all of the above?!
I ran AVG and it did find and secure 30 trojans, but they were all in deleted emails I’d never opened or viewed. (My stupidity was in not deleting them from my Deleted Items tray, but if they download and I don’t open the attachments, can they still infect me?)