compromised site

Solution 1:

Based on the injected files, and it being hosted on GoDaddy, I would take a look at Sucuri.net's blog posts about the continuing infection of websites on GoDaddy's shared servers over the past month.

I would start here: http://blog.sucuri.net/tag/godaddy

-Josh

Solution 2:

This is not sql injection. This is a worm, and getting this level of access with a worm on a custom site isn't realistic. I know this because I write exploits that worms use to spread, and I'm telling you its defiantly not sql injection under MySQL (MS-SQL is a different story, the attacker has xp_cmdshell()).

Never the less you should scan your site for vulnerabilities using both w3af(free) and Wapiti(free), or Acunetix($), or the best tool NTOSpider($$$).

First of all I would make sure all of your libraries are up to date. Any machines with FTP access must be scanned with an anti-virus. I know GoDaddy only has FTP access, because they obviously don't care about security. There are worms that sniff for FTP logins and then infect the site, these are very successful worm because of idiots like GoDaddy. If you don't want to spring for the cash, running AVG on your local system which is better than nothing.

Usually when you are infected Google will throw a browser warning and they will tell you the name of the worm. If you search for the name often times someone has done analysis and that will tell you how it is spreading.