Description: Code used to insert a malicious javascript into many sites hosted at Rackspace and Mediatemple.
Loads malware from (all of them pointing to 91.193.194.155)
http://google-analytisc.co.cc
http://oiwdd.co.cc
http://pojdue.co.cc
http://js-o-kcjh.cz.cc/21
Infection: It infects PHP or javascript files. Only wordpress sites are infected. More details here: http://blog.sucuri.net/2011/01/malware-update-co-cc.html
Clean up: Contact [email protected] for help.
Malware dump:
document.write(unescape('%3C%73%63%72%69%70%74%20%73%72...