I have had the following attack recently, where POST requests have been sent to the webserver with the following code (url encoding has been removed to show the actual query, and 'example.com' has been substituted for the actual address)
/page.php?Story_ID=2494" onmousedown="ct(this, "http://example.com/page.php?Story_ID=2494','45','8','*.eg+page.php?','', '0095cae1ce41b064a7268177db4b654c44e914f95761d81211b8', 0)/contact.php
I have searched for language references for ct that would enable me to understand what this is doing - but it has been hard to find. Any ideas?