For the past few weeks I have been noticing the code in my index.htmls on my host, changing by it self. The other day Chrome and Firefox have started to list the sites hosted on my server as attack sites.
I am pretty sure my computer is clean and I'm not uploading the virus via ftp.
It's a script in my server somewhere, but I have no idea how to get rid of it, any help would be very much appreciated.
I believe Google provides the reason(s) why a site is listed as an attack site. However, I don't think they're very detailed (I guess they don't want malware writers/purveyors to know how they detect attack sites), so I would dive into your server logs and see if there are any unknown entries or suspicious patterns.
Alternately, you can use diff (or other directory/file comparison tools) to compare your local/development copy of the site with what's on the production server. That should show you any added files or code that weren't put there by you. A version control system can also do this very efficiently.
If you're not computer-savvy enough to figure out where the malware is located (don't feel too bad; they're specifically designed to evade detection), then try asking your web host for help.
Or, if you make regular backups, you could just wipe everything clean and roll your site back to the last known "clean" date (and then manually re-add lost content, if necessary).
But as soon as you get all of this done, be sure to update all of your web apps to the latest versions and change all your passwords (CMS, ftp, shell, cpanel, even email).
It is quite likely that an attacker has exploited a security vulnerability in one of the software packages that you have installed on your server. In this case, your options are pretty limited; there is no way to clean up your server & guarantee that the attacker does not have some sort of backdoor access.
If this is a dedicated server that you administer, I would wipe the server & reload it.
If this is a shared host, I would find a new hosting company. Shared host should be patching installed packages on a regular basis (although many don't).
I experienced something similar a while back. Still unsure if it was me, the host or something else althogether. Thankfully the problem has never happened again.
I'd advise contacting your host to let them know, and to see if they can help. Whilst you do that make sure you house is in order i.e. make sure your kit is clean from virus/malware, change your ftp password, and make sure any frameworks/guestbooks/messageboards etc you use are fully up to date.
If you haven't already - its worth getting an account with googles webmasters tools set up (its free) - from here you can request a rescanning of your website, when I did this google had rescanned and removed the blacklisting within 8 hours.
No need to wipe, these are ususally not too difficult to fix, just time consuming.
Put up an under construction page. Update all open source software...that's likely how they're getting in. Don't forget phpMyAdmin, as it's frequently targeted and rarely updated. Joomla, PHPbb, and Wordpress are also frequent targets Next, search near the bottom of the affected files for some foriegn javascript. Clean that--automate the removal of this if possible, it's likely on every page of your site. Just in case, check for any folders buried on the site containing a large quantity of strange files. Finally, check your database to ensure they haven't stuck something in the user table, and update your FTP (or better, SCP) passwords.
Put back up and keep a close eye on it. If they change, you missed something! Only as a last resort should you wipe.
Repeat after me...I will update next time. I will update next time....