From my experience are these contents only provided once per IP and then you're getting filtered to not get any content again, to prevent 'easy' detection of this.
You simply get blacklisted after the first serving
Yeah, I ran across malware once that only injected JS for visitors from certain referrers, such as Google search. I believe the intention was so that when someone would tell me, "Hey, you have a bunch of weird links on your site" I would go to it directly and not see a problem. IIRC the .htaccess had been modified.
I've seen this sort of thing from the Darkleech apache module[1]. It also won't show the malicious Javascript to any IP that appears in the `last` log. It looks like php.net uses Apache too[2]. The easiest way I've seen to find the module (they come with a variety of names) is to do something like
What a mess. I hope running Chrome via EMET is enough to keep my machine safe.
I've noticed that hacks have gone up recently in my little part of cyberspace. Things like Cryptolocker are so profitable that its motivating a lot of talented guys to get into malware and hack servers. Usually servers running some unpatched CMS or module.
2) Now when I browse to static userprefs.js on my desktop in incognito mode, no obfuscated contents.
3) When i browse to static userprefs.js on normal mode I get the following js appended:
4) When I control F5 the page to refresh, obfuscated contents are gone.So I'm leaning towards it being hacked a while ago and the hacked version was in my cache.