For the last few weeks I’ve been baffled by Safari complaining that this site was a malware host. The most puzzling aspect of the whole ordeal was that the Safari/Google malware warning referenced the IP address 74.222.134.170, and not 208.97.175.192, where it actually resides. A direct
Google malware query on the domain came back clean, too, so it didn’t seem, on the face of it, that my webserver had been compromised.

A perceptive fellow on the Google Webmasters forum noticed the following bit of fun in my source code that looked like this:

Thinking it was a result of an injection exploit like this person found, I went over all my WP files (plus my theme directory) with a fine-toothed comb, but found nothing. A further bit of digging turned up other Wordpress users who were encountering the exact same problem. The iframe code was inserted directly into posts, but by what means, nobody seems to be sure.

I will—shamefully—admit that both my WordPress admin and FTP passwords were pretty weak, and could have been brute-forced pretty easily. They’re much stronger now, and I’ve updated to WordPress 2.8, and the three posts here that contained the offending code have been cleaned. I haven’t seen any new malicious insertions since taking those steps, but I remain suspicious. If you see anything even remotely weird in the next couple of weeks here, let me know.