Strange link on webpage

dloj
dloj used Ask the Experts™
on
On a page for a website I am webmaster I found a strange link on only one webpage, (see attached).  This only appears on Chrome.  I have deselected all my extensions and it does not change I have also seen this link on Chrome on this one page from 3 different computers and two different networks.  So it seems like spam on the website.  

I do not see any anti-virus or anti-malware software on our hosting site.  

Anyone familiar with this and know how to remove it.
 
Below is what I see when checking source:
<style type="text/css">html, body {padding: 0;margin: 0;height: 100%;}#gz, #gz a {font-size: 9px;color: #283848;text-align: right;border-bottom: none;clear: both;}</style><div id='gz'> <a href="http://www.freenodepositslotsonline.co.uk/" target="_blank">Penny slot machines on sale, slot machine basics freenodepositslotsonline.co.uk news</a>

I am currently calling my hosting site.
wierdlink.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Expert of the Year 2014
Top Expert 2014

Commented:
Is this a CMS?
Looks like an hack but without a real website to check...
Jason C. LevineDon't talk to me.

Commented:
You've been hacked.  Depending on what your site is running, there could be multiple vectors for the attack.  

If your ISP doesn't know, I would open an account with Sucuri.net and give them access.  They will clean it up and also close the holes.
Zephyr ICTCloud Architect

Commented:
Could it be a plugin though? If you put that link "www.freenodepositslotsonline.co.uk" into Google, you get a big result of sites showing the same link on pages/sites that shouldn't have it...
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
1 - When was that page last edited by you and what is the timestamp now?
(compare live page to your source page)

2 - Update the page by removing the link, does it come back (after some time)?

If one or 2 of the above are 'Yes' then you have been hacked.
Jason C. LevineDon't talk to me.

Commented:
Spravtek

Could be a theme or a plugin or just a typical server vulnerability.
Zephyr ICTCloud Architect

Commented:
@Jason

Yes, the question was more directed to the poster ... Maybe he recently installed a plugin/theme, we need more info on what software he's using, CMS, html ...
Could also be malvertising. Do you have advertising on the site.
Top Expert 2013

Commented:
The fact that it only appears in Chrome probably means that the vulnerability is related to the massive number tracking hacks that Google allows and encourages to satisfy advertisers.  I am not suggesting that Google is responsible for the hacking, just that Chrome is almost as easy to target as the older IE browsers were because Google is not in the browser business, they are in the business of selling virtually any information that can get about users of the "free" stuff they supply.

Another reason for me to continue using Firefox as my primary browser.

Cd&

Author

Commented:
Hi,

Thanks for the response.  No this is not a CMS, I built the site with Dreamweaver, html, php, and javascript, here is a link.

No Adverstising.

http://www.socalda.org/sbemeet.php 

When I download the page to edit the hack it does not appear.  It only appears online.  Not on my devserver.
Expert of the Year 2014
Top Expert 2014

Commented:
It's not just Chrome, it's all browsers - hard to see it, and its not just slot machines and all your pages have it.

I would immediately change all your passwords.
Disable any plugins, including your Spry menu and see if it still shows.

It would appear to be something in your php page that is adding it, so double check them all.
I would initially concentrate on the code that creates the table since it immediately appears after that table.

Author

Commented:
I look at view as source, and see the link but when I download I do not see the link on the webpage.    So why would the php be causing it and it not showing up in both places, local server and hosting server?
Expert of the Year 2014
Top Expert 2014
Commented:
When you say you download it do you mean direct from the server or through the browser?
I cannot see anything in your javascript, so that leads to the php, don't look for the link itself, it likely won't exist but what may be happening is they are making a call to another server to get the link code.
It is usually Base 64 code that is used in hacks like...
eval(base64_decode

Author

Commented:
I found some errant code on my San Diego Meeting page.   Loading it as a zip file.
hackingcode.zip
Expert of the Year 2014
Top Expert 2014

Commented:
Whats wrong with that? It's just a php function to release memory held by a recordset.

Author

Commented:
I don't remember ever putting it there.  I also found the eval(base64_decode php code in the menu.php

Author

Commented:
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone.  Thanks
Expert of the Year 2014
Top Expert 2014

Commented:
Good stuff
Jason C. LevineDon't talk to me.

Commented:
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone.  Thanks

It will come back.  Your server or your user account is compromised and the attackers inject code into the system.  You've successfully treated the symptom, not the disease.
Top Expert 2013

Commented:
You still have a serious issue.  As Jason said "Your server or your user account is compromised".  Unless you find the attack vector used by going through your logs; you will be hacked again and again and next time it may not be something that mild.  It is only on your production server because your dev server is not public facing where hackers can access it.

You hosting provider should be happy to help because others on the same system may be facing the same kind of attacks.  If there is no attack vector you can find then you need to add detailed custom logging to track out-of-the ordinary events.

This piece about Custom logging approaches should help you create the logging objects you need to track bad actors on your site.

Cd&

Author

Commented:
Thanks Cobol and Jason

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial