WARNING: Some of the URLs that follow lead to a known malicious toolkit (a.k.a. virus). The only SAFE LINK to click on below is that referring you to www.symantec.com -- click wisely!
The actual code for the toolkit follows:
-- Froglips removed code, if you want to see a copy, just ask. --
[/INDENT]Which, as mentioned earlier, is getting
prepended to the normal HTTP response. The source of the infection originates with -- Froglips removed link to bad guys -- at 85.114.143.47 and which forwards the browser to yet another URL: -- froglips removed link to bad guys -- (also at 85.114.143.47). This is a
known malicious toolkit, for more information, please visit:
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50031
This is a frustratingly intermittent issue, In 8 hours time I only managed to encounter it once (at 3:35am Eastern) and (annoyingly due to a typo) only captured half the tcpdump for analysis, despite several thousand reloads of the NCWW homepage.
Because it is getting inserted at the beginning of a TCP session, this leads me to suggest that either the HTTP daemon has suffered a buffer overflow (and, as such, is in need of shutdown, patching, and finally restarted once patched) OR NCWW's web presence provider has a higher-level infected server (in the case of a shared virtual server) or router. Of these, an http daemon infected by means of a buffer overflow is the most likely explanation.
If these were servers in physical posession this would be far easier to confirm, as remotely managed servers things can get complicated by restrictions the provider may have in place, particularly on shared servers.
Best of luck!
EDIT: Admins, if you know how to get vbulletin to NOT hyperlink the harmful URLs I would appreciate the edit. I originally created the above with the URL hyperlinks REMOVED. Unfortunately, when submitted vBulletin overrode my directives and turned them back into hyperlinked URLs...
READERS SHOULD EXERCISE EXTRA CAUTION AS A RESULT!!!