bernard zimmermann wrote:

My b2evolution Version: 2.x

Yesterday my website got hacked again with JS:Illredir-cj

Website
http://www.posbrowser.com.au/b2evolution.new/blogs/index.php?blog=1
[...]
Any ideas what to do?

1) Update/upgrade to the newest b2evolution release. When I recommend b2evolution in Twitter or elsewhere, I emphasize security feature as inherent strength.

2) Consider another hosting provider for your blog. Quickly perfoming:

nslookup www.posbrowser.com.au

Non-authoritative answer:
www.posbrowser.com.au canonical name = posbrowser.com.au.
Name: posbrowser.com.au
Address: 209.200.249.149

And performing a WHOIS on IP above tells us that you are with Lunar Pages -possibly in a shared environment.

You may be the victim of a "collateral infection" -for example if another hosted instance (or more) are infected. It is not uncommon that hosted peers attack one another. In certain occasions, I've have had to permanently block IPs in a given IP block due to vicious unauthorized SSH entry attempts.

If you are comfortable with an virtual machine instance in the cloud, say Amazon EC2, you may want to migrate there since they are offering a free one year trial of a micro-instance (some 10Gb virtual storage & half a Gig of RAM for your operating system and supporting apps like your blog).

Or any other provider.

Best Professional Regards.

What would happen was I would updated the site and so clear out the virus but it kept coming back. Parts of the virus were in directories that a user cannot get into. Making me suspect that the virus owner was no user.

I finally changed the FTP password and the virus stopped.

This is very strange as I have been very careful with the FTP password. It used a random combination of upper and lower case letters and numbers. This is it bVGcnIW8qkaEp7. No one could have brute forced that one. So it must have been stolen.