Thank you for the prompt response.
What I suspect is that the "ftp" was from some "tool" not a human action (identical entries in the ftp log) and the changes on my site were identical and limited to these two files (if someone knows my password, I would imagine my sites will be quite different by now).
If this can help to find out what is wrong, here is the full extract from raw log accessing my second site from that IP address:
Mon Oct 25 04:55:05 2010 0 18.104.22.168 11030 ..../templates/template2/index.php a _ o r xxx ftp 1 * c
Mon Oct 25 04:55:06 2010 0 22.214.171.124 11076 ..../templates/template2/index.php a _ i r xxx ftp 1 * c
Mon Oct 25 04:55:07 2010 0 126.96.36.199 11030 ..../templates/template2/index.php a _ i r xxx ftp 1 * c
Mon Oct 25 04:55:08 2010 0 188.8.131.52 29463 ..../administrator/includes/pcl/gzip.lib.php a _ i r xxx ftp 1 * c
This indicates that someone has either compromised your PC, stealing FTP passwords, or has guessed your FTP password (known as bruteforcing, there is very good technology available for password cracking so even 8 character passwords are not enough).
Once a hacker has got your FTP password, it often goes into a long list that's used by a hacker tool that will try many sites at once - that's why both domains are attacked at almost the same time.
Like others in this thread, I strongly suspect an infected PC/Mac. It's essential to scan with several antivirus tools. For PC, I would use free trials or web scans using ALL of the following.
- Kaspersky - use their trial software (antivirus only) - http://www.kaspersky.co.uk/
- or their online scanner, or their free virus removal tool (latter is recommended)
- ESET NOD32 - free trial of NOD32 antivirus - has a free web based scan that's OK for light infections - http://www.eset.co.uk/
- Prevx - free trial - guarantees removal if you pay for their tool - http://www.prevx.com/
- Malwarebytes (free) - very good on removal of viruses the others can't remove - http://www.malwarebytes.org/
- SuperAntispyware (free) - good for spyware removal - http://www.superantispyware.com/
- Sophos Anti-Rootkit (free) - the most stubborn and well-hidden viruses are called 'rootkits' - http://www.sophos.com/products/free-too ... otkit.html
- optional: try ComboFix, GMER, HiJackThis and others as recommended by antivirus forums - more expertise required though
Any single antivirus will only find about 60% of all viruses, and in some cases it will find 'false positives' - legitimate files that it thinks are viruses.
I don't recommend Trend Micro - from reading av-test.de, I would go with one of ESET, Kaspersky Norton 2010 (much better than old versions), and also run Prevx (free or paid edition) on top - Prevx is very light and runs well with other antiviruses.
For Mac, I would scan with Intego, Sophos (free) and Panda, and make sure you keep up to date with all software updates including third party apps such as Flash and Adobe apps.
I assume you've changed your FTP password, but in addition:
- stop using FTP, start using SFTP - some client PC malware will spy on the TCP traffic on your PC so that it can get the passwords. SFTP is immune to this, and most good webhosts support this.
- set a 12 character random password for FTP and a different one for SFTP
To help in generating and remembering these strong passwords, try using LastPass, which makes it easy to manage all your passwords in one place, or KeePass.