[This is being reposted since I'm too lazy to move the WP database from the old host to the new host. -- f^2 ]

An old client called up with a problem. Whenever he went to one of the sites he hosts, he was prompted to download a trojan. He didn’t test all of the sites he hosts, but no other site he tested had the problem.

After snooping around, er, investigating the problem, I fired up Ethereal (which is now called Wireshark) and hit the website. I noticed an HTTP GET for /content/urchin.js. If any of you web site owners have used the tres cool Google Analytics, you’ll recognize urchin.js as the Javascript file used by Google Analytics to do it’s magic. The Evil Hackers probably knew my client used Google Analytics and were relying on that fact.

There’s just a small catch: Google Analytics references http://www.google-analytics.com/urchin.js, not /content/urchin.js. This was enough to make me suspicious. Sure enough, I found the file $HOME/public_html/content/urchin.js. Someone had taken Google’s file, commented out every line and placed an obfuscated javascript line in the middle. By moving that file out of the user’s directory, the website no longer prompts you to download a trojan!

The only problem now is, what do I do with this obfuscated Javascript function? Check back to see if I’ve unobfuscated it!