I figured out why it was going slow for me, I still had sshfs connected on my server and the sftp daemon is not a fan of multiple connections. I disconnected my server and it sped right up.

I didn't find anything untoward while glancing around the directory structure of /sfgp/, but I haven't looked at code yet. When Cemetech was compromised where did they place the payload?

Hmm, I don't see any new directories or any new files. The timestamps on my .htaccess and all of my code files are intact going back to 08 and 09.

Kerm, I would still look into getting ssh access if nothing else for rsync usage, so you can do incremental backups to any machine you want easily on a regular basis.

Ooh, should I be able to switch to sftp as well?

I just changed my client to SFTP, would you mind sending me the proper port as well?

To Whom It May Concern:

To update you on this, I did indeed scan every one of my computers (all the scans came up clean), change all my passwords, and switch to using SFTP instead of FTP to administer my website. A colleague of mine who frequents my website, to whom I had suggested Surpass for his own hosting needs and now uses your site, alerted me yesterday to the fact that his site was similarly attacked in the same time frame as mine, and I see that a third Surpass shared hosting customer had a problem on April 17th (note this thread: http://www.surmunity.com/showthread.php/32454-I-ve-been-hacked). This is hugely concerning, and suggests that the problem is a security breach at Surpass rather than a customer problem.

Because of this blackhat SEO attack, my website is (hopefully temporarily) nearly completely absent from Google search results, which has had a very negative impact on traffic to my website. If the fault was me using potentially compromised machines, poor access methods, or weak passwords, it certainly would be my fault and not at all your responsibility, but if a compromise of Surpass is the issue here, then I would appreciate being appraised of this security breach, provided assurance that the issue has been resolved to protect against future attacks, and my lost traffic addressed. I would appreciate any feedback on the issue at your earliest convenience. Thanks again for what I'm sure will uphold your excellent tradition of superb customer support in my experience.

Sincerely,
(me)

Hello,

This attack is quite common. The FTP logs Ariel posted show a legitimate FTP login with legitimate credentials:

==
[redacted]
==

Hackers will typically compile gathered passwords\accounts into a large list and quite often get the credentials of two completely unrelated accounts that happen to reside on the same server. We are constantly working to keep our servers up to date and secure from vulnerable services on our end.

Regards,


Lukas K.
Security Analyst
Surpasshosting.com, LLC.

Maybe I missed this, but has Google moved forward on removing the label?