Background: Several pages on MetaFilter last night had a script tag pointing to an h.js file on tejary.net. I was going to post this as a comment, but the website was taken down.
Hopefully this helps someone:
h.js is a file that writes an iframe when executed, an iframe pointing to kodim.net’s faq.htm.
faq.htm is one-line script tag for a JavaScript file from count49.51yes.com. (Here’s a cleaned up version on Pastie.) The count49 JS file creates an anchor tag and an iframe as you can see from this pastie. The anchor tag (containing the little graph icon) seems fairly banal, and the iframe points to a website in Chinese that’s throwing an ASP error.
The count49 JS file also looks for two cookies: cck_lasttime and cck_count, which don’t seem specific to MetaFilter. If they don’t exist, the JS creates them. If they do exist, it increments cck_count and updates cck_lasttime.
I would cautiously say that there’s no attempt to steal user data here, with the massive grain of salt in that I’ve only spent five minutes looking at this for the fun of it. However, the fact they did manage to get into MetaFilter is worrying.