Hi spg SCOTT,
Thanks for explaining this. The spacer.gif method is known to us now, the alleged 404 redirect is known also, and the code in index.php is also known. You will find what spg SCOTT gives also here: htxp://jsunpack.jeek.org/?report=f1b2736e07d7ab991c6b3405cc35995906e25b28 (visit this jsunpack link when security savvy, with script blocking enabled, and in a VM)
Similar obfuscation flagged here through Google Safebrowsing: hxtp://www.pvvanopijnen.nl/index.php?option=com_content...feed...
So webmasters have to check weird input and re-check weird input, it can be malcode round the corner...
polonus