This was uncovered in several joomla installs last week. Apparently the attackers install some “Fake” modules (in these cases it was mod_administrator, mod_msn, and mod_araticlhess that were discovered and removed) not sure yet if they are related, but it appears they are, I just need to do more digging for details and will hopefully uncover something of interest. This little snipplet will look for specific browsers and create a javascript iframe that will ultimately redirect users to lyblynoski.isa-geek.com, which Google has thankfully flagged for malware.
