Hi, my girlfriends hostgator account has apparently been comprimised. A ticket was launched and this was a part of the response. I found the iframes and have removed them from the account. According to the logs it appears as though the FTP/cpanel account was compromised and the password was scraped. Notice the IP downloading and uploading to the account. This is indicative of a script that is injecting the files with iframes. From recent incidents like these we have come to the conclusion that a users password was stolen via a password scraper or keylogger that resides on their local PC or network. So no matter how many changes we make to the password as soon as they type it into FTP or cpanel its immediately sent off to this script that then injects the files. The logs are below and below the logs you will see tips on how to secure your local network. I've attached the logs as per the sticky... any help is greatly appreciated.