I have a client who runs a support site based on what we think is Kayako (A proprietary helpdesk software encrypted with Zend which makes searching for the exploit even harder because everything is encrypted.).
It appears through some method not clear to us at this stage, a malware kit has been inserted, something like Sweet Orange. It's possible it's because the code base underneath has been
It manifests itself in appending a <script> section to the webpage (after the closing </html> tag). But it doesn't always do it, it's either random or some more sophisticated algorithm.I can't find it anywhere in .php files so I suspect it's either encrypted or stored in the database as part of template. I think it's out of our level of expertise, wondering if anyone here has some advise or could offer some assistance?