It's not the only script that should be found there. What it does only is send the cookie and other information of whoever is viewing the server to another server. And it could also reconfigured remotely via special parameters. It's not the one that propagates the lines to the other files.

Edit: Or perhaps not really if the toolkits delete themselves after making a successful propagation to another host, or just after after making the infection, or perhaps after some attempts or time limits. Perhaps also that the ones that make the attacks on the other servers have different setups.

Hi all,
In my case the server compromission turned out to have nothing to do with Wordpress. It was a Joomla 1.5.x outdated template (beez) used to upload a very nasty PHP shell!
That php shell injected the js that points to http://abtt.tv/modules/mod_servises/ua.js, so if you see the same check your system for the presence of this shell.
I found 2 copy of the same shell, with 2 different names, one is mysite/templates/beez/958b.php and the other myothersite/templates/beez/28bc.php it's a modification of a known php backdoor shell. If someone is interested I'll post the shell code.

This article talks about recent mass attacks via WP / Joomla http://www.theregister.co.uk/2013/04...bie_offensive/

I had my time studying the previous code already so I don't mind if you do.