We have had about ten cases of keylogger programs being uploaded to customers accounts using FTP.
As the customers are varied and innocent third parties it means someone has access to their FTP accounts.

As we don't even have thier passwords on file it leaves only two possibilities:

1. Someoone is using dictionary type attacks on their accounts.

2. The customers have been infected by viruses and thier local machines have been compromised.

I was tending towards option #1 however the files being uploaded are themselves keylogger programs so maybe its #2

Interestingly the uploads all seem to be from machines on a Washington DC area ISP but presumably they are also compromised.

OK thats another one from last week, check the IP address:

Mon Aug 07 07:27:32 2006 3 209.160.64.214 56307 /home/aviatio/public_html/images/at/server.exe b _ i r aviatio ftp 1 * c

Hopone @ superb... hmmmmm.

Record Type: IP Address
IP Location: United States - District Of Columbia - Washington - Hopone Internet Corporation
Reverse DNS: sls-gc10p7.dca2.superb.net
Blacklist Status: Clear

Whois Record
OrgName: HopOne Internet Corporation
OrgID: HOPO
Address: 1010 Wisconsin Avenue N.W.
City: Washington
StateProv: DC
PostalCode: 20007-3603
Country: US

Was just wartning of that IP range which seems to have a number of compromised machines on it.

The problem is not becoming widespread. Its a few customers with several accounts.
As we don't have the passwords they haven't come from us and the servers are not compromised (why use FTP if you have root access anyway).

In one case the customer had two accounts with us and both got abused. One was in the US and one the UK.
I am waiting to hear back from him on the investigation of his own machine.