Are you hosting your website using a Web hosting service provider or hosting it in your own system?
Probably the virus is in your system, and your FTP software may be infected with that and when you are uploading files (or after particular interval) it is uploading the virus. This could be one of the possibilities. First scan your system for Virus.
what services do you run and do you use some kind of CMS ? if so, it can be a security hole that's being exploited
This trojan of yours is a russian reverse shell script which have some interesting features like:
1. file browser
2. file search
3. local and remote fileserver support
4. file compression and unpacking
5. mail sending
6. database access
7. execution of C and php code, SQL Queries and script code
8. botnet features
with the ftp it can send and receive files. it can download files and send txt and files by mail, dump db tables and run SQL Query. edit files, create, edit and delete files and directories, search for text in files, you can CHMOD, CHGRP and CHOWN from the interface... it will attempt to access and read etc/passwd and it has an ftp bruteforce menu.
it is quite advanced, but easy to operate.
You will have to look for and scann your server for suspicious files and folders as it can be reproduced to other directories. also scann your local pc, just to be sure. look for any suspicious file, not only .php but also .txt, .jpg etc.. and files containing two extensions like f.ex "evil.jpg.php" Also look for hidden files and folders.
When you have gone throught your folders and files on your server and local puter, then change all your passwords and you should be ok. Make sure you look through all folders before changing usernames and passwords.
and if you have any services, cms etc running, then see if there are some updates to it.
Who's to doom when the judge himself is dragged before the bar
Ive been attacked twice with that script it was disguised as a .jpg file and I missed it. I downloaded it and tried to review the script too bad I can't run it on my localhost kaspersky says it's a trojan.
Anyway it got uploaded via an upload script on my CMS program.
As a security I check for mime types before moving uploaded files from temp to destination. Also I rename uploaded files so the hacker can't use it even if he successfully uploaded it on the server and as an added security I assign md5-ed id's on my upload form w/c will check if the upload is in fact coming from my form.
I no longer use php session for my CMS log-in, I use .htaccess to protect the whole directory. Though I'm pretty sure a good hacker can fish username and passwords.
The best bet right now is to spend a couple more dollars for ssl certificates.
Well good luck and one last thing don't copy paste scripts in your site if you don't know what the script does.