?
Solved

Strange link on webpage

Posted on 2014-08-24
20
Medium Priority
?
249 Views
Last Modified: 2014-08-25
On a page for a website I am webmaster I found a strange link on only one webpage, (see attached).  This only appears on Chrome.  I have deselected all my extensions and it does not change I have also seen this link on Chrome on this one page from 3 different computers and two different networks.  So it seems like spam on the website.  

I do not see any anti-virus or anti-malware software on our hosting site.  

Anyone familiar with this and know how to remove it.
 
Below is what I see when checking source:
<style type="text/css">html, body {padding: 0;margin: 0;height: 100%;}#gz, #gz a {font-size: 9px;color: #283848;text-align: right;border-bottom: none;clear: both;}</style><div id='gz'> <a href="http://www.freenodepositslotsonline.co.uk/" target="_blank">Penny slot machines on sale, slot machine basics freenodepositslotsonline.co.uk news</a>

I am currently calling my hosting site.
wierdlink.png
0
Comment
Question by:dloj
  • 6
  • 5
  • 3
  • +4
20 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40281704
Is this a CMS?
Looks like an hack but without a real website to check...
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 40281717
You've been hacked.  Depending on what your site is running, there could be multiple vectors for the attack.  

If your ISP doesn't know, I would open an account with Sucuri.net and give them access.  They will clean it up and also close the holes.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40281730
Could it be a plugin though? If you put that link "www.freenodepositslotsonline.co.uk" into Google, you get a big result of sites showing the same link on pages/sites that shouldn't have it...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40281762
1 - When was that page last edited by you and what is the timestamp now?
(compare live page to your source page)

2 - Update the page by removing the link, does it come back (after some time)?

If one or 2 of the above are 'Yes' then you have been hacked.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 40281772
Spravtek

Could be a theme or a plugin or just a typical server vulnerability.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40281783
@Jason

Yes, the question was more directed to the poster ... Maybe he recently installed a plugin/theme, we need more info on what software he's using, CMS, html ...
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40281784
Could also be malvertising. Do you have advertising on the site.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 40282139
The fact that it only appears in Chrome probably means that the vulnerability is related to the massive number tracking hacks that Google allows and encourages to satisfy advertisers.  I am not suggesting that Google is responsible for the hacking, just that Chrome is almost as easy to target as the older IE browsers were because Google is not in the browser business, they are in the business of selling virtually any information that can get about users of the "free" stuff they supply.

Another reason for me to continue using Firefox as my primary browser.

Cd&
0
 

Author Comment

by:dloj
ID: 40282161
Hi,

Thanks for the response.  No this is not a CMS, I built the site with Dreamweaver, html, php, and javascript, here is a link.

No Adverstising.

http://www.socalda.org/sbemeet.php 

When I download the page to edit the hack it does not appear.  It only appears online.  Not on my devserver.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40282165
It's not just Chrome, it's all browsers - hard to see it, and its not just slot machines and all your pages have it.

I would immediately change all your passwords.
Disable any plugins, including your Spry menu and see if it still shows.

It would appear to be something in your php page that is adding it, so double check them all.
I would initially concentrate on the code that creates the table since it immediately appears after that table.
0
 

Author Comment

by:dloj
ID: 40282191
I look at view as source, and see the link but when I download I do not see the link on the webpage.    So why would the php be causing it and it not showing up in both places, local server and hosting server?
0
 
LVL 58

Accepted Solution

by:
Gary earned 2000 total points
ID: 40282198
When you say you download it do you mean direct from the server or through the browser?
I cannot see anything in your javascript, so that leads to the php, don't look for the link itself, it likely won't exist but what may be happening is they are making a call to another server to get the link code.
It is usually Base 64 code that is used in hacks like...
eval(base64_decode
0
 

Author Comment

by:dloj
ID: 40282312
I found some errant code on my San Diego Meeting page.   Loading it as a zip file.
hackingcode.zip
0
 
LVL 58

Expert Comment

by:Gary
ID: 40282317
Whats wrong with that? It's just a php function to release memory held by a recordset.
0
 

Author Comment

by:dloj
ID: 40282319
I don't remember ever putting it there.  I also found the eval(base64_decode php code in the menu.php
0
 

Author Comment

by:dloj
ID: 40282326
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone.  Thanks
0
 
LVL 58

Expert Comment

by:Gary
ID: 40282327
Good stuff
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 40282331
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone.  Thanks

It will come back.  Your server or your user account is compromised and the attackers inject code into the system.  You've successfully treated the symptom, not the disease.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 40283984
You still have a serious issue.  As Jason said "Your server or your user account is compromised".  Unless you find the attack vector used by going through your logs; you will be hacked again and again and next time it may not be something that mild.  It is only on your production server because your dev server is not public facing where hackers can access it.

You hosting provider should be happy to help because others on the same system may be facing the same kind of attacks.  If there is no attack vector you can find then you need to add detailed custom logging to track out-of-the ordinary events.

This piece about Custom logging approaches should help you create the logging objects you need to track bad actors on your site.

Cd&
0
 

Author Comment

by:dloj
ID: 40284827
Thanks Cobol and Jason
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
Ready to get certified? Check out some courses that help you prepare for third-party exams.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question