Question : How did this happen?

Getting this added to the bottom of several files and causing problems.

How is this happening and what can I do about it?

We don't run a CMS, we run Prestashop, however, they are both older versions.
We did get this on one site that did not have Prestashop installed, too.

Any ideas?

{I put spaces in the link so people wouldn't get the warnings)
1:
<iframe src="http : // eiueuiuewi.com /7JF8963DH53SJ4/" width="4" height="2"></iframe>


IP address for eiueuiuewi.com: 77.78.240.154

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
Whois Info:
Registrant Contact:
   Whois Privacy Protection Service
   Whois Agent [email protected]
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Administrative Contact:
   Whois Agent [email protected]
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Technical Contact:
   Whois Agent [email protected]
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Billing Contact:
   Whois Agent [email protected]
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Answer : How did this happen?

Same here.
I use my website as a sandbox for several things.
For some reason my /404/index.php was changed.
But now I have to download 2gb's of web files to preserve my uncorrupted source files.
I requested FTP access logs, but some form of XSS attack with an iframe.
How they were able to gain access isn't currently known, but lots of fun going through every single page to do a file comparison.
And then change all of the database passwords and connection strings.
I was able to verify it wasn't done using any scripting means.

Once I get the FTP logs I will look to find out if it was brute force or if they had the password.
All I know at this point is the file changes occurred within the passed 7 days.

To find out if another site was corrupted please post websites you frequent regularly to see if it has been XSSed (a forum that is stealing your session/cookie info)

My site: torntech.com (sand box, several subwebs)
I use NetBeans IDE that has my password stored and is unique as compared to website I visit.
I also use google chrome.

This is not a spam attempt but an attempt to find the source of the compromise hence the full url was left out..
mootools
mooforum (which is oddly logging me out)
ch131
bleachget
Random Solutions  
 
programming4us programming4us