Apologies in advance for the long story ... its starts off as a server issue but I think it might be caused by desktop malware.
I've been struggling with this issue for the last few days and I think it might be casued by some kind of malware. I was playing around with some
website templates and created a test site, when I noticed this code right several blank pages down in the source code (I've replaced with  but it
still comes out wonky in the post sorry etc):
32,18,15,45,25,37,33,14,42,35,46,34,49,4,26,21,22, 38,43,5,6,60,0,0,0,0,40,0,7,1,52,20,12,56,0,51,23, 27,8,39,10,11,29,36,50,54,19,62,31,57,2,44,53,
Ask the people at www.castlecops.com.
Well in desperation I hired a security expert (a guy called Martin from 3klabs security) who turned out to be
extremely knowledgabe. He identified and fixed the issue within a few minutes. Here's the lowdown:
Firstly, I thought my server had undergone security hardening, whereas in fact it had not. So my server was in a vulnerable state to begin with - now sorted.
We think some kind of bot is making use of some kind of vulnerabilty to modify the Apache config file to include a line like this:
Which uses the Layout module to force footers and headers onto every page on the server. The footer (/usr/local/apache/conf/apache.conf) contains the script. To test for this simply disable the layout module (mod_layout) and see what happens.
Using that one line above means that EVERY web page on the server is infrected. (Fortunately, removing that line also disinfects every page).
The script makes use of an IE vulnerability, such that every IE user that loads the web page is exposed to potentially downloading trojans, keyloggers etc. Martin thinks the virus is related to this:
I hope this saves the next poor soul who gets infected a bit of time. I'm not sure what to do with new(?) discoveries like this but I'm sure the mod does. Kudos to Martin from http://3klabs.com for solving this. He saved my skin.