I uploaded a 100% plain HTML file to the server containing just 1 paragraph of text. It doesn't use includes or the CMS. This will best demonstrate the site's problem.

Sometimes when I request the file, it is served correctly.

About 20-30% of the time, intermittently, as though determined by random number generator, the server instead sends a 503 Service Unavailable error. The page sent with the 503 error is a virus-laden heavily obfuscated combination of VBScript and JavaScript. The encryption of the malicious script changes daily. This intermittent serving of a virus page occurs regardless of what page is requested. If I request a nonexistent file, sometimes I get a legitimate 404 error, sometimes a 503 with the virus script.

I have visually examined every file within this website's file system (except, importantly, what is in the /conf folder, for which I don't have and am unlikely to get access privileges). There is no file containing the malware, nor is there any script capable of generating this malware dynamically, nor is there any script capable of generating the 503 error code such as by the PHP header() function. There is no custom error page in the site's webspace for a 503 error. There are no cron jobs at all listed in the control panel.

The server is Apache, possibly running on Windows (not sure), but there is no .htaccess file in the site's webspace that could be doing redirects or rewrites. Such a thing could be done (but randomly?) in httpd.conf or an equivalent config file, but I expect that would be in the /conf folder, which I may never be able to examine).

It appears that every request to the site is being intercepted immediately upon receipt. A script somewhere, not in the site's webspace, makes a decision whether to serve a normal page or the virus one.

Can anyone think of a plausible explanation for the behavior described above, other than the server being compromised at either the Apache or operating system level?

If the webhost proves unwilling to help investigate areas of the server that only they have access to, my recommendation is going to have to be to move the site to a different host.