(1) Question comes to mind how are they injecting it into the website? Has your server been compromised?
(2) And what are you doing to stop it?

Can you give us a little more detail without breaking anything in the TOS? So we can better handle on what is going on in your situation.

We ran anti-virus scans, changed our passwords, etc. For now seems the problem is over, but I wanted to understand it better, and get a good anti-virus to avoid such problems in future.

The line did not get injected in each file. The files were intact. But the extra HTML appeared on browser. Perhaps injection was at the IIS level. This happened to all websites hosted on this web server and to all URLs of each website.

Did the Virus scan turn up any virus's?
Did you check the logs to see what information you could gather on how they got into your machine to do this?
NT audit Logs
IIS web logs
http Error logs (IIS6 and up)

Basically changing the passwords, will only get you so far if they exploited a program on the server, more then likely they can do it again, and you will end up in the same situation.

There is always the possibility that they attackers installed a root kit on your machine, and anything you do besides a full format/reinstall might not be able to remove it.

Yes the problem is occuring again and again. Format seems to be the only way out.

We scanned using F-secure anti-virus, but the problem persists. F-secure scan did not find any malicious program on the system.

Anyone had similar experience before?

Try searching with the url, iframe and iis keywords to find other reports. As Ocean10000 says check your logs to see if you can identify its attack vector. If you can identify what it is you will be able to ascertain how it got on your server.

I would reformat and reinstall to be sure, then it is essential you patch and lock down the system, and then keep up to date with patches.

Thanks for the guidance

The exploit that appears to match your description is JS.toofer [www3.ca.com]. It works by setting up a footer included in all IIS-served pages. The footer is js that opens an iframe linked to malicious content.

AV software installed on your server won't necessarily protect against attacks where the server is compromised, you have to lockdown the box (see Securing IIS6 [microsoft.com]) and keep up-to-date with patches.

I think you should be able to check the footer setting in IIS MSC, it's in "Web site properties" -> "Documents" tab -> "Enable document footer" on IIS5. HTH.

Thanks very much for taking time to reply.

Footer setting in IIS are not modified. Moreover the extra line is at the top. Most probably this virus is latest version of JS.Toofer

JS.Toofer used to modify the physical file on server. But in our case the HTML gets added even though it does not exist in the file.

When we start WWW services, pages work fine for few minutes, and then randomly it starts inserting the extra HTML line. So the HTML may appear sometimes and not not the other times .. certainly is not coming from the file itself, but somewhere else, at the IIS level.

Moreover, this happens for not just one but all sites hosted on the server.

Updates: we do regularly. Securing IIS link will certainly help.

The problem still exists so are having to keep our sites down ... until we find the problem.

Just a thought- are you getting reports from your visitors seeing the same behavior, or have you just seen it from your own computer(s)? Any possibility the virus is on your computers and not the server?

yes we received phone calls and emails from visitors, that's why we are preferring to keep sites shut till the problem is solved

This could be an issue of an injection attack on your server, thats only in memory. That is when you reset iis, it clears out the worm code, but in a few minutes later it is reinfected with the worm, which usually another server that is infected is scanning and infecting other servers. You might look up parts of the injected iframe like someone already said in a search engine and see what you can find out about this issue.

This exact thing happened where I work. It turned out that it was a SQL inject. That's why the code never showed anything particular, but when the data from the DB was pulled, the code was then injected.

Why not format the server?

Did you keep up with the patches?