One more thing if you block the ip address from your server you will find you can not ftp anymore.

The virus connects through proxys and the return path comes straight back to you.

You will end up blocking yourself

Are you saying that at your sites a similar problem was caused by using a freeware FTP client program?
Can you give us the name of that program?
Did the virus have a name?
How did you removed the problem from your PC?

Ghia_,
When the attacker first went after one of my sites that was using XOOPS 2.0.16, he managed to get a dump of the username and associated passwords. One of the passwords he found allowed him to gain access to one of my ftp accounts.

Kind of stupid on my part not being more careful with password management. But none the less this whole ordeal has taught me a great deal.

The protector log shows one of this person's attempts at acquiring the username listing.

Everything on my server side is now completely secure and I am working through the upgrade of each site to XOOPS 2.3.0

I once worked with an engineer who said the only thing worse than doing something dumb is telling someone about the dumb thing you did. But you all did your best in trying to help me out so I felt I owed you all an explanation once I figured everything out.

And BTW I have no clue what the post about an ftp associated virus is all about.

Just wanted to be sure that XOOPS was not the cause or had a weak spot.
And yes, experience is the total of stupidities and mistakes. By reading about them, you don't have to make yourselves.
So, your post has benefit for the readers!