I get hacked twice. Strange though... only after I post for help. Any way I receive the same type if code "sIncPath=http://www..." They were able to create an index2.html which was a Wachovia looking home page and this ip address continues to look for it: 209.147.127.216 - Optic Fusion (from Washington State US) & 79.179.102.205 - RIPE Network Coordination Centre (Amsterdam). I have reported this info with the logs. They also placed "confirm.html" and "/asp/SignOn.aspx/" see more which went to an M&T bank looking homepage on my server. It looks like they are also using the shoutbox files in Ray. This is NO GOOD. If this is a way to get users to buy licenses, I just as well not have free versions and just charge for secure code. I've waisted a month on this.
I feel for ya I got hacked the same way on my site so I pulled to plug on it and removed it from my server but I am still getting those two IPS trying to access html/cache/manager and langs. defientely no good.