ISSUE

All of the <index.html> files on our server have been infected by embedded code redirecting users to <thedeadpit.com>, a known trojan site (Reference Link:  https://safeweb.norton.com/report/show?name=thedeadpit.com).

ANALYSIS

Viewing the text files using MS Word show empty text files - but when we use Mac OS X TextEdit.app (OS X v 10.5.6) the file displays the embedded html trying to link to <thedeadpit.com> using the OpenDNS servers as shown in the graphic below.

INDEPENDENT VERIFICATION - INTERNAL

None of our PC users or developers can see this - but google flagged the redirect - it is a zeropane embedded code (i.e. you can't see it - but it's there).  This only shows up on the Safari v3.2.1 browser (haven't looked at previous browser versions).  Mozilla and IE do not flag the code.  Safari is apparently tightly bound to Google's malware alert engine.

ROOT CAUSE

We have not identified how the site was hacked - but we suspect an infected (PC) using a corrupted FTP client as the logs do not show FTP logs from unknown IPs.  Again - PCs using mozilla or IE cannot see this web redirect.

SOLUTION - INTERIM 

The only way to fix this is to create a new clean text file - copy the HTML code and save it over the existing index.html and reload the file to the server.  We are working on an automated way to fix this (combination of applescript and unix shell scripts).  Our site is small and only has about 2,400 index.html files spread (of course) through 2400 directories, to clean.  We've already cleaned the visible html code redirecting our site visitors to this malware site - but the embedded code is a really sneaky trick and very troublesome to repair.