That could be a modern day version of Gaston Leroux's "Mystery of the Yellow Room" : web servers get compromised, cleaned-up, locked-up and compromised again without the experts watching them able to understand the process.

According to ZDnet UK, about 230 legitimate websites have been compromised and were serving the usual mix of malware and adwares to their visitors, as well as Trojans and rootkits. Once warned, the companies managing those servers did clean-up the infection, only to find them quickly infected again.

This "clean-up and re-infect" process has been repeated several times without the techs looking after the servers being able to understand how the infection was able to come back. Experts from security vendors ScanSafe and SecureWorks looking into the infections have yet to understand how the servers get compromised again, and again.

It was first thought the servers got initially compromised through a traditional vulnerability and then equipped with a loadable Apache kernel module rootkit. Such a setup would allow for repeated entries, even when the initial vulnerability has been closed. But when the servers were re-installed with a static Apache kernel (generally a good idea anyway, for both security and performance), the break-ins kept occurring, much to the experts dismay.

To add to the difficulty of the situation, malware is being distributed to clients through a sophisticated Javascript dynamic code that is is generated on the fly and changes name at each display of the web page. This eliminates the possibility of tracking down infected hosts with a simple Google search on its name, as it's the norm with other regular IFRAME-deployed malware. And it also makes it difficult to know exactly how many websites are actually compromised. The count may be much higher than the 230 known at this moment.

Without more information, it's difficult to offer remediation for this new attack, except to ask users to disable Javascript, at the cost of an important loss of functionality. Servers operators, on the other hand, will need to wait for more detailed information about the means of infection. Until then, a scan for regular exploits and malware coming out of their server might be advisable.