Another wrong assumption

Well, I think this is part fo the problem.

Not listening to the problem scenario properly.
Not asking any questions.
Largely ignoring the clients wishes.

1. Why would you assume that it was a sql injection?
2. Why would you not assume a html injection?

If your server was hacked do you think it is good advice to download all of your code, scan it and upload it to the server again?

Of course not - if the virus was on the server then its simply going to start effecting the pages again.

I know the support guys do the best they can but if they actually sat, listened and understood the problems rather than running multiple support calls via a chat window then perhaps problems could be sorted out properly and they wouldnt waste time going around in circles.

With regards to where you are based - your main office may well be in the UK but all support calls seem to be routed through to India. God knows where the servers are actually based.

ARP Posioning Attack

The issue with injected malicious link in your page has been sorted out. None of the pages were physically injected with those URLs. It was indeed a network type injection & was related to the ARP poisoning attack.

One of our dedicated servers used the Gateway IP of the same subnet used on the VPS node server i.e the server on which your VPS is hosted & was using it to inject javascript code in our network.

The Address Resolution Protocol (ARP) is the method for finding a host's link layer [MAC] address when only its Internet Layer (IP) or some other Network Layer address is known. ARP spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP & not another method.

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose
to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway..

ARP spoofing attacks can be run from a compromised host, or a hacker's machine that is connected directly onto the target Ethernet segment.

We have terminated that infected server and have setup statical ARP on the gateway on each box which will prevent such attacks.

We have also raised this issue with our router manufactures for immediate protections and to prevent such things from happening again in future.

WebHosting UK Com Ltd. is operated from our registered office based in London and Datacenter in Maidenhead (Berkshire, England). We also have our support staff based in few other locations like Leeds, Durham and India. Our Level 1 support opeartes from our Indian Office and that is during off peak hours and weekends only.

Nick,

Thankyou kindly for the comprehensive and frank explanation.

This is most welcome and has put my mind at ease with regards to whether it was my fault (ie. bad code)

Thanks