Too late. We was hit yesterday, 14:36 gmt+1. It comes from Brazil. The script modify every .php file in my Zeus Nutshell, 6 Sites in all. He append an on every php file a iframe wich reload exploits to unpatched browsers and adware.
I was running 6.5.1.1 with the external input validator modification. This mod catch nearly all XXS but due this hole my whole site was defaced.
We close all, replaced all php files from last night backup and on the rest of the night I upgrade a heavy modded 6.5.1.1 to 6.5.2. I hoped, thats all, then I come here and this happend to 6.5.2 too ........ I know several .threads (incl keyhole community on google earth). Lets see what happend there <img src="https://www.ubbcentral.com/boards/images/graemlins/frown.gif" alt="" />
