The past couple of weeks I've been seeing this exploit happen to more and more people.
It's either a javascript trojan insertion connecting to uniqcontent.com
or an iframe trojan insertion connecting to megacount.com
or both....
We have had this happen to a couple customers. Unfortunately each fix has been slighly different. Some of the fixes have been:
Getting rid of a counter
Getting rid of a 3rd party WordPress template
Fixing WordPress file permissions
Below are some of the recent threads started:
http://www.gfy.com/fucking-around-and-business-discussion/660506-getting-hacked.html
http://www.gofuckyourself.com/showthread.php?t=661811
http://www.gofuckyourself.com/showthread.php?t=662380
http://www.gofuckyourself.com/showthread.php?t=661965
http://www.gofuckyourself.com/showthread.php?t=662468
http://www.gofuckyourself.com/showthread.php?t=664196
Originally people thought this was directly related to WordPress, but it appears to be happening to non WP sites as well.
There are 4 or 5 hosts mentioned, so this is not host specific.
Then it was thought to be a cPanel issue, but not everyone is running cPanel.
dissipate posted these links:
http://www.securiteam.com/unixfocus/6R0030UH5W.html
http://www.securiteam.com/unixfocus/6M00315H5S.html
other suggestions:
http://www.securityfocus.com/bid/14088/info
http://www.securityfocus.com/bid/18372
No one has really followed up with h0w the issue has been resolved.
I'm basically trying to get all the info in to one thread for any others that may come across this exploit.