So today while checking around I found this in a html source file. The first part is what was there...the second part is the script enencoded. So I did a grep for 'document.write(unescape' and found a handful of sites that back in may/June were exploited. It seems this little script wrote itself to any files on the server that it had permission. A few of my sites have safe_mode off (very few) and those that had public write permissions (666 or 777) had this added to the header. I went and cleaned it all up. I and of course I corrected any files that were public write. Does anyone know anything more about what this piece of code is suppose to do? I know an exploit exists in IE that this code I think takes use of. Luckily I don't use IE :-)
Anyone want to take a stab at this? I bet I was exploited from phpbb before I updated. There was a week I took to do a critical update. When you have 200 sites and dozens of scripts it's hard to keep up with new updates and exploits.