The Web site of Miami's Dolphin Stadium, which plays host to Super Bowl XLI on Sunday, has been trying to hijack unpatched Windows PCs for about a week, a security company said Friday.

The site was hacked between Jan. 26 and 28, Websense reported, and until approximately 11 a.m. PST Friday was actively serving up a backdoor Trojan horse and password stealer.

"The 25th was the last date that we saw [the site] clean," says Dan Hubbard, Websense's head of research. "Sometime between the 26th and the 28th was when we think the site's server was hacked."

The attacker planted a link to a malicious JavaScript file in the header of the front page of the site; that script executed when the official Dolphin Stadium site was rendered. Hubbard said that the script exploited two Windows vulnerabilities, one patched in April, the second last month.

By Friday morning, the malicious site hosting the JavaScript file has been taken down, although Hubbard said the link remained in the stadium's site header. He recommended that users stay away from the URL. "It's possible [the attackers] still have access to the server," he says.

Sunday, the Indianapolis Colts face the Chicago Bears in the National Football League's biggest game of the year. The Colts are favored by a touchdown.