SleepsInSun

You don't need to know the criteria that the malware is using to activate the redirection. You know the infection exists. You know what code should be in your scripts... The fault isn't elsewhere. It's very likely in your skin_cache directory. Please read this post (I know, it's long, but I swear you'll learn something) and see if it will help you track it down. https://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/ The exploit you're looking for may use different variable names, and it may reside elsewhere, but from the way it looks this is the kind of exploit you need to locate. I'm not trying to be an ass here, but all of us who own sites have minimum responsibilities that need to be observed, and allowing something like this to go on for months is not appropriate. It's not the kind of thing you can just put off pending some future renovation of the site. This really shouldn't take more than an hour or two to fix, depending how well it's hidden.

This site doesn't run on phpBB, it runs on ipb. phpBB hasn't been vulnerable to this kind of garbage for years. Redirecting users to a site that serves malware is no better than serving it up yourselves. The particulars are irrelevant. The site owners are aware of the issue and refuse to address it properly. There is nothing at all difficult about finding and cleaning up this kind of exploit. If they can't do it, they should hire someone. If they can't do that, they should disable the affected script. This isn't rocket science.

The infection is still present. I just encountered it. I'm pissed that you've known about this for two months and think "recaching templates" is going to solve your problem! I'm reporting this site as an attack site to Mozilla, Google, etc as you don't seem qualified or interested in cleaning it up. This is a very serious issue. You cannot go on serving malware to your users and just plead ignorance. This site should get someone who has a clue about maintaining a website and server. 2 months! It shouldn't have taken 2 hours! At the very least you have an ethical duty to shut down the infected portions of the site so as to limit further spread of this malware.