This is probably old news, but I thought I would bring it up in case it went unnoticed.
Short version:
There is a malicious Apache 2 filter module that injects IFrames to malicious sites on all virtual hosts on an affected server. This injection only occurs when the user's browser is running on Windows, the referer is from
a collection of hosts (primarily search engines and cannot be blank), and the IP is not from a well known security research firm. Because of these conditions, this module is moderately difficult to track down. Even more scary, this thing can bring with it
a module that waits for SSH credentials of an admin, collect them, and ship them off to who knows where.
The page I have linked gives much more detail (including means of discovering it), but it's 6 months old. I've been searching around and haven't found any more useful details (mainly because my Google Fu sucks). The comments
section of that page might be the best source for more recent information.
