Websites on linux domains are showing up with trojan's

[PaddingtonC]

I have an Ubuntu 8.04LTS server running Plesk 9.5 and although all Plesk security patches are in place there are infections on the websites which are displayed as warnings.In file manager I see that a code is added to normal files and I manually check the files and delete the added code. I have had 12 sites reported so far.
How can I isolate the root cause? I tried doing a "find . -name gootkit "but cannot pick up anything. Is there an anti virus for linux I can use apart from rkhunter which is already running?

 

[abdi]

iScanner is a free open source tool lets you detect and remove malicious codes and web page malwares from your website easily and automatically. iScanner will not only show you the infected files in your server but it's also able to clean these files by removing the malware code ONLY from the infected files.

http://iscanner.isecur1ty.org/

 

[HostaHost]

I've found that 9.5.4 will sometimes think it has all the updates applied even when it doesn't; try adding something via the autoinstaller to coax it into re-downloading all the microupdates.

Oh, and you should change all client passwords and ftp passwords because thanks to Parallels not bothering to tell anyone there was a serious vulnerability in Plesk from October/November timeframe until February/March, it could be that your server had its passwords compromised long ago and hackers are just now getting around to using them even though you're up to date on patches.