Hard-coded credentials exposed
It's so commonplace it's not surprising enough to be a WTF anymore.
public static String STR_FTP_SERVER_ADDRESS = "redacted";
public static String STR_FTP_USER = "redacted";
public static String STR_FTP_PASSWORD = "Redacted";
Yes, they do work. Someone popped an exploit on their FTP server then attempted to trojan my webserver:
The scary thing is, he can't even fix it without either deleting the repository or the FTP account...