It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point).
This is what is being added to the infected sites (at the top of every post in the jos_content table):
There are many others domains being used in this attack, including:
Note that those are different from the Lizamoon SQL injection of a few days ago. The Lizamoon was targeting IIS/ASP.net sites, while this one seems to be targeted only to Joomla sites.