How did a hacker add a script block to my page?

[benny747]

I went to my website 2 days ago and got a warning that the site might be an "attack site", then I noticed an email from Google telling me that their last crawl of my site found potentially malicious code. When I viewed the page source, I found a a block of javascript at the bottom of my home page (index.cfm) which I definitely did not put there. I am the only admin of this site and my production server password is extremely secure. Yet it appears that someone has modified a file on my server.

My question is: how can someone change a file on my server without logging in to the server? It seems they can't have my password -- if they did, they wouldn't need the brute force attack, right? Via the Event Viewer I see that a certain ip address was attempting to login every few seconds for days.

I replaced the hacked file, but within 24 hours it happened again. I have since denied access to 3 ip addresses that I see in my log files. I am running IIS, and my application server is ColdFusion.

Any explanations or advice for preventive measures would be greatly appreciated. Thank you!

[deepsand]

There are any number of ways that a site can be compromised without use of log-in credentials.

Assuming that you are not self-hosted, you need to engage your hosting firm in this matter.

[weegillis]

Telling everyone about your configurations probably just added to your problems. These are not issues one reaches out to the general public to solve. A search, yes, but a forum post? Not so helpful.

The best advice anyone can offer is, "Refer to qualified technician for servicing."