A new form of script injection
The good people at Armorize recently discovered and analyzed a new form of script injection, which they have dubbed "Mass Meshing Injection." The unique characteristic of this new attack is that each compromised site loads a malicious script from a different compromised site, thus the "mesh" effect. According to Armorize, many of the compromised sites had not yet been picked up by major blacklists, including Google's, as of the date of the blog post.
According to Armorize, the telltale signs that a site has been compromised are the presence of a <script> tag pointing to somedomain/sidename.js within the website's contents, and two files injected in the site's root folder: sidename.js and wpcomplate.php.
Based on what we've read, it seems that sites that remove the above-mentioned files and tags often find themselves reinfected shortly thereafter, and there may be a backdoor in play.
We're asking the StopBadware community to help us become a resource for tracking this attack and helping site owners clean their sites of it. If you know more about this attack or new variations about it, please share them with the community. You can do so by posting to BadwareBusters.org or adding a comment here. If you have a lot to say, you may propose a guest blog post by emailing us at contact<at>stopbadware<dot>org. (Note: no guest blog posts containing product or service promotions will be accepted.)