In this case, the injected code is an IFRAME pointing to hxxp:||mediahousenamemartmovie.cn:8080/ts/in.cgi?pepsi27 and redirecting to hxxp:||nonfathighestlocate.cn:8080/index.php which attempts to load a Flash exploit (VirusTotal results) and PDF exploit (VirusTotal results). The payload includes a DLL (perhaps C:\WindowsSystem32\1028T.DLL although it may vary) that offers some sort of backdoor functionality (VirusTotal results).
The malware domains are on 89.149.240.64 in Germany, all domains on that server seem to be malware related and should be blocked. The server identifies itself via RDNS as "fuckingl33t.eu" although that proves nothing.
- Autobestwestern.cn
- Bestlitediscover.cn
- Bestwebfind.cn
- Bigbestfind.cn
- Bigtopartists.cn
- Giantnonfat.cn
- Greatbethere.cn
- Homenameworld.cn
- Hugebest.cn
- Hugebestbuys.cn
- Hugepremium.cn
- Hugetopdiscover.cn
- Litepremium.cn
- Litetopfinddirect.cn
- Litetopseeksite.cn
- Lotbetsite.cn
- Mediahomenameshoppicture.cn
- Mediahousenamemartmovie.cn
- Nameforshop.cn
- Nanotopdiscover.cn
- Nonfathighestlocate.cn
- Thebestyoucanfind.cn
- Topfindworld.cn
- Toplitesite.cn
- Tvnameshop.cn
- Yourlitetopfind.cn
If this is related to Gumblar, then the problem could be down to compromised FTP passwords. If your site has been infected with this attack, then you need to carefully check each machine that has FTP access to your website, clean them up and then change your FTP password to something secure.