My client is running the plugin WP125 on his site, and in Chrome's console I notice the following:
Resource interpreted as Image but transferred with MIME type text/plain: "http://l.betrad.com/ct/0_0_0_0_0_8366/us/0/1/0/0/0/0/1/242/141/0/pixel.gif?v=705&ttid=2&d=a.rfihub.com&m=5&r=15713".
Where l.betrad.com is listed here...
XHTML block that the code is referenced from:
Anybody else having this occur? The plugin looks legit and infected at the same time.. I cannot find any reference to the URL in the plugin's code, which suggests the programmer is trying to hide it. Or, could I be wrong and betrad.com is just used for handling data? Because...
Looks extremely legit.