My site was hacked last night. It's not a security issue with Xoops, so I hope it's not improper for me to make this post and ask for help. The security problem is with my server.

The site loads with a trustbid.ws javascript code in IE. Viewing the page in IE also shows a cookie for vxiframe.biz and triggers anti-virus software into action. It took me a while to notice it because there were no problems using Firefox.

Viewing the index page source in Firefox shows

in the bottom right-hand corner, outside the html.

I've currently disabled the site while my host and I try to find the source. A Google search for the above suggests it may be a trojan that's been installed on the server.

I've looked in the template files, main index, header and footer files, but can't find it.

Does anyone have suggestions on where I should look or what I should do?

did you checked theme.html?

Yes, I checked all the theme files.

I just used Fantastico to install XOOPS again in a directory on the same domain and called to the main database.

The intrusive code still appears, which suggests it must be in the database. I haven't got a clue how to find it though.

Active worm live somewhere on rhis host, which add iframe in all found *.html files.
Sever admin must
- shutdown host
- perform full reinstall from scratch
- made harakiri

I think, worm works under httpd-account rights, you can try to remove all write permissions for theme for saving theme-file integrity

I isolated the database attack to the tplsource file. I deleted the file and created a new one. It seems to be okay now.

I've changed all passwords and hopefully that's the end of it.

You might also want to check out this thread for more info.