Strange link on webpage

On a page for a website I am webmaster I found a strange link on only one webpage, (see attached).  This only appears on Chrome.  I have deselected all my extensions and it does not change I have also seen this link on Chrome on this one page from 3 different computers and two different networks.  So it seems like spam on the website.  

I do not see any anti-virus or anti-malware software on our hosting site.  

Anyone familiar with this and know how to remove it.
 
Below is what I see when checking source:
<style type="text/css">html, body {padding: 0;margin: 0;height: 100%;}#gz, #gz a {font-size: 9px;color: #283848;text-align: right;border-bottom: none;clear: both;}</style><div id='gz'> <a href="http://www.freenodepositslotsonline.co.uk/" target="_blank">Penny slot machines on sale, slot machine basics freenodepositslotsonline.co.uk news</a>

I am currently calling my hosting site.
wierdlink.png
dlojAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Is this a CMS?
Looks like an hack but without a real website to check...
0
Jason C. LevineNo oneCommented:
You've been hacked.  Depending on what your site is running, there could be multiple vectors for the attack.  

If your ISP doesn't know, I would open an account with Sucuri.net and give them access.  They will clean it up and also close the holes.
0
Zephyr ICTCloud ArchitectCommented:
Could it be a plugin though? If you put that link "www.freenodepositslotsonline.co.uk" into Google, you get a big result of sites showing the same link on pages/sites that shouldn't have it...
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Gerwin Jansen, EE MVETopic Advisor Commented:
1 - When was that page last edited by you and what is the timestamp now?
(compare live page to your source page)

2 - Update the page by removing the link, does it come back (after some time)?

If one or 2 of the above are 'Yes' then you have been hacked.
0
Jason C. LevineNo oneCommented:
Spravtek

Could be a theme or a plugin or just a typical server vulnerability.
0
Zephyr ICTCloud ArchitectCommented:
@Jason

Yes, the question was more directed to the poster ... Maybe he recently installed a plugin/theme, we need more info on what software he's using, CMS, html ...
0
Thomas Zucker-ScharffSolution GuideCommented:
Could also be malvertising. Do you have advertising on the site.
0
COBOLdinosaurCommented:
The fact that it only appears in Chrome probably means that the vulnerability is related to the massive number tracking hacks that Google allows and encourages to satisfy advertisers.  I am not suggesting that Google is responsible for the hacking, just that Chrome is almost as easy to target as the older IE browsers were because Google is not in the browser business, they are in the business of selling virtually any information that can get about users of the "free" stuff they supply.

Another reason for me to continue using Firefox as my primary browser.

Cd&
0
dlojAuthor Commented:
Hi,

Thanks for the response.  No this is not a CMS, I built the site with Dreamweaver, html, php, and javascript, here is a link.

No Adverstising.

http://www.socalda.org/sbemeet.php 

When I download the page to edit the hack it does not appear.  It only appears online.  Not on my devserver.
0
GaryCommented:
It's not just Chrome, it's all browsers - hard to see it, and its not just slot machines and all your pages have it.

I would immediately change all your passwords.
Disable any plugins, including your Spry menu and see if it still shows.

It would appear to be something in your php page that is adding it, so double check them all.
I would initially concentrate on the code that creates the table since it immediately appears after that table.
0
dlojAuthor Commented:
I look at view as source, and see the link but when I download I do not see the link on the webpage.    So why would the php be causing it and it not showing up in both places, local server and hosting server?
0
GaryCommented:
When you say you download it do you mean direct from the server or through the browser?
I cannot see anything in your javascript, so that leads to the php, don't look for the link itself, it likely won't exist but what may be happening is they are making a call to another server to get the link code.
It is usually Base 64 code that is used in hacks like...
eval(base64_decode
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dlojAuthor Commented:
I found some errant code on my San Diego Meeting page.   Loading it as a zip file.
hackingcode.zip
0
GaryCommented:
Whats wrong with that? It's just a php function to release memory held by a recordset.
0
dlojAuthor Commented:
I don't remember ever putting it there.  I also found the eval(base64_decode php code in the menu.php
0
dlojAuthor Commented:
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone.  Thanks
0
GaryCommented:
Good stuff
0
Jason C. LevineNo oneCommented:
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone.  Thanks

It will come back.  Your server or your user account is compromised and the attackers inject code into the system.  You've successfully treated the symptom, not the disease.
0
COBOLdinosaurCommented:
You still have a serious issue.  As Jason said "Your server or your user account is compromised".  Unless you find the attack vector used by going through your logs; you will be hacked again and again and next time it may not be something that mild.  It is only on your production server because your dev server is not public facing where hackers can access it.

You hosting provider should be happy to help because others on the same system may be facing the same kind of attacks.  If there is no attack vector you can find then you need to add detailed custom logging to track out-of-the ordinary events.

This piece about Custom logging approaches should help you create the logging objects you need to track bad actors on your site.

Cd&
0
dlojAuthor Commented:
Thanks Cobol and Jason
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.