Take a look at your FTP logs as well as your web server access logs (looking at POST requests). Doing these things will help to rule out (or confirm) that it was your website that was vulnerable somehow. It could also be a misconfiguration in security with your web host, which allowed another user to access a part of your account. It could also be that if you're hosting other sites on the same account, one of those was hacked and that allowed the attacker access to your C5 site.

Most typically, it's not simply a matter of 1 file being infected, usually there is some file that gets uploaded that the attacker then leverages to reap havoc on your site. Your HTTP access logs would probably show this script being accessed and utilized to do such a deed.

As far as prevention, the best thing to do is first find out what the root cause was. That way you can take appropriate action to alert the appropriate party to fix the vulnerability.

I would bet that Pleasant Valley Wine Trail would like to know their website is hacked as well...if they don't know already.

Check out their default 404 page -

http://pleasantvalleywinetrail.com/order/...

that's a Godaddy default 404. Maybe check with Godaddy if you are on shared hosting with them.

Haha well I actually didn't check the site because I assumed the whole point of the malware was dodgy SEO (didn't really think why a cheap meds business would choose such an irrelevant domain) and didn't want to get any drive-by nasties on this computer.

So what would be the purpose then of malware dropping invisible links in the templates to somebody else's site?

Sounds like the best course of action for me would be to ask my hosting company about it. I have checked the FTP logs but it's only my IP and it only lists the most recent activity. I just checked again and even my activity is no longer there, so it's too short-term to be useful. The links may have been in the templates for months - it's not a frequently edited site.

You can look at the files on your web server and see when certain ones have changed and get an idea of when the hacking took place.

The whole idea of hiding this stuff is so you don't find it easily, but search engines see it. It's all about link building and search engine exposure. If there is an opportunity for someone to take advantage of a vulnerability in a website they will do it.

I had a Wordpress site hacked and it took several months to root out all of the hidden gems, like executable PHP code hidden in a JPG image, Base64 code dropped into template files that didn't get automatically updated, database entries that were really tough to root out and eliminate, etc.

I also had a C5 site hacked with a javascript exploit, and the claim is that vulnerable versions of Java will allow hackers to grab FTP passwords, which is pretty scary.

Your best bet is to secure your FTP password, login password with random string generated passwords, not something that is made out of a word. Also, you can use .htaccess to prevent some things, including blocking IP addresses. You can Google all those possibilities.

What I don't get though is why the malware author would want searches like 'cheap meds' to lead to the wine site? Surely they'd only benefit if those links point to their own site?

That's some really bad luck you've had with it. Makes me wonder how many sites I've developed that were compromised without my knowledge. I never use Java at least.

The timestamp on the edited files is a really good idea - too bad I already removed the code and saved, overwriting the timestamp. I'll ask my host if they have any better logs that aren't available via the control panel. exchangecore's suggestion that other sites on the hosting may also be compromised is a very good point so I should inform them anyway.

Not to go off topic here but i'm not aware of concrete5 using anything Java based in the core. Java and Javascript are not the same things. Aside from that I'd pretty much agree with what you're saying.

Change passwords, check file last modified times, and it can't hurt to contact your host and see if they can help you track it down any further.

I know Java and Javascript aren't the same and suspect cschondel is aware too, but he did mention both. If I was a Java dev then I'm pretty sure I could get a Java applet running in a c5-based site, but Java really isn't something I'd ever want to get involved in.

If my hosting can tell me anything useful about this specific type of attack then I'll post back so people can find the other affected files (few too many files in c5 to check one by one!).

The Java part is Java running in a browser, like FF. If you have Java installed and enabled, but out of date, there could be a vulnerability.

Here is the link that specifies the C5 Java Vulnerability

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5181...