Recently I had a security incident where ... / 2013-12-18

Recently I had a security incident where a site was flagged as hosting malware but it took quite some searching to find the actual source of the problem. Access with a windows webbrowser with Avast security gave a big fat security alert mentioning 'js-hideme-h trj'.

I couldn't find the offending code until I checked the site with Sucuri SiteCheck website security scanner which found:

Known javascript malware.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState(); 

This is a bit of obfuscated javascript code. Some more searching found the full code:

Sorry about the inline image for this code but I found out some virus scanners don't like even the text version of this javascript code. Also available: autson javascript obfuscated css. When your virusscanner stops you from accessing that javascript: look for a virusscanner that doesn't protect your browser from code which wants to mislead search-engine bots.
To run this bit of code in spidermonkey I need to change the document.write to print and test it:

koos@vm-u-04:~$ js test.js
<style undefined>.dnn{position:absolute;top:-9999px}</style>

Now that is CSS (cascading style sheet) code to hide a bit of page from the browser (outside the viewport) and this is indeed a sign of evil SEO (search engine optimization) tricks happening. There was only one link after that bit of css, and it was:

<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>

Which indeed uses that CSS class dnn. A websearch for 'autson.com' found me Malicious Joomla Extensions which explains the problem more clearly and shows that in a different version of the extension the code to be shown is fetched from a server which means even worse code can be included.

Be careful with your joomla (or other CMS) plugins.