Strange link on webpage
On a page for a website I am webmaster I found a strange link on only one webpage, (see attached). This only appears on Chrome. I have deselected all my extensions and it does not change I have also seen this link on Chrome on this one page from 3 different computers and two different networks. So it seems like spam on the website.
I do not see any anti-virus or anti-malware software on our hosting site.
Anyone familiar with this and know how to remove it.
Below is what I see when checking source:
<style type="text/css">html, body {padding: 0;margin: 0;height: 100%;}#gz, #gz a {font-size: 9px;color: #283848;text-align: right;border-bottom: none;clear: both;}</style><div id='gz'> <a href="http://www.freenodepositslotsonline.co.uk/" target="_blank">Penny slot machines on sale, slot machine basics freenodepositslotsonline.c
I am currently calling my hosting site.
wierdlink.png
I do not see any anti-virus or anti-malware software on our hosting site.
Anyone familiar with this and know how to remove it.
Below is what I see when checking source:
<style type="text/css">html, body {padding: 0;margin: 0;height: 100%;}#gz, #gz a {font-size: 9px;color: #283848;text-align: right;border-bottom: none;clear: both;}</style><div id='gz'> <a href="http://www.freenodepositslotsonline.co.uk/" target="_blank">Penny slot machines on sale, slot machine basics freenodepositslotsonline.c
I am currently calling my hosting site.
wierdlink.png
You've been hacked. Depending on what your site is running, there could be multiple vectors for the attack.
If your ISP doesn't know, I would open an account with Sucuri.net and give them access. They will clean it up and also close the holes.
If your ISP doesn't know, I would open an account with Sucuri.net and give them access. They will clean it up and also close the holes.
Could it be a plugin though? If you put that link "www.freenodepositslotsonline.co.uk" into Google, you get a big result of sites showing the same link on pages/sites that shouldn't have it...
1 - When was that page last edited by you and what is the timestamp now?
(compare live page to your source page)
2 - Update the page by removing the link, does it come back (after some time)?
If one or 2 of the above are 'Yes' then you have been hacked.
(compare live page to your source page)
2 - Update the page by removing the link, does it come back (after some time)?
If one or 2 of the above are 'Yes' then you have been hacked.
Spravtek
Could be a theme or a plugin or just a typical server vulnerability.
Could be a theme or a plugin or just a typical server vulnerability.
@Jason
Yes, the question was more directed to the poster ... Maybe he recently installed a plugin/theme, we need more info on what software he's using, CMS, html ...
Yes, the question was more directed to the poster ... Maybe he recently installed a plugin/theme, we need more info on what software he's using, CMS, html ...
Could also be malvertising. Do you have advertising on the site.
The fact that it only appears in Chrome probably means that the vulnerability is related to the massive number tracking hacks that Google allows and encourages to satisfy advertisers. I am not suggesting that Google is responsible for the hacking, just that Chrome is almost as easy to target as the older IE browsers were because Google is not in the browser business, they are in the business of selling virtually any information that can get about users of the "free" stuff they supply.
Another reason for me to continue using Firefox as my primary browser.
Cd&
Another reason for me to continue using Firefox as my primary browser.
Cd&
ASKER
Hi,
Thanks for the response. No this is not a CMS, I built the site with Dreamweaver, html, php, and javascript, here is a link.
No Adverstising.
http://www.socalda.org/sbemeet.php
When I download the page to edit the hack it does not appear. It only appears online. Not on my devserver.
Thanks for the response. No this is not a CMS, I built the site with Dreamweaver, html, php, and javascript, here is a link.
No Adverstising.
http://www.socalda.org/sbemeet.php
When I download the page to edit the hack it does not appear. It only appears online. Not on my devserver.
It's not just Chrome, it's all browsers - hard to see it, and its not just slot machines and all your pages have it.
I would immediately change all your passwords.
Disable any plugins, including your Spry menu and see if it still shows.
It would appear to be something in your php page that is adding it, so double check them all.
I would initially concentrate on the code that creates the table since it immediately appears after that table.
I would immediately change all your passwords.
Disable any plugins, including your Spry menu and see if it still shows.
It would appear to be something in your php page that is adding it, so double check them all.
I would initially concentrate on the code that creates the table since it immediately appears after that table.
ASKER
I look at view as source, and see the link but when I download I do not see the link on the webpage. So why would the php be causing it and it not showing up in both places, local server and hosting server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found some errant code on my San Diego Meeting page. Loading it as a zip file.
hackingcode.zip
hackingcode.zip
Whats wrong with that? It's just a php function to release memory held by a recordset.
ASKER
I don't remember ever putting it there. I also found the eval(base64_decode php code in the menu.php
ASKER
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone. Thanks
Good stuff
Upon deleting the code I found on the menu.php and reloading it seems the errant links are gone. Thanks
It will come back. Your server or your user account is compromised and the attackers inject code into the system. You've successfully treated the symptom, not the disease.
You still have a serious issue. As Jason said "Your server or your user account is compromised". Unless you find the attack vector used by going through your logs; you will be hacked again and again and next time it may not be something that mild. It is only on your production server because your dev server is not public facing where hackers can access it.
You hosting provider should be happy to help because others on the same system may be facing the same kind of attacks. If there is no attack vector you can find then you need to add detailed custom logging to track out-of-the ordinary events.
This piece about Custom logging approaches should help you create the logging objects you need to track bad actors on your site.
Cd&
You hosting provider should be happy to help because others on the same system may be facing the same kind of attacks. If there is no attack vector you can find then you need to add detailed custom logging to track out-of-the ordinary events.
This piece about Custom logging approaches should help you create the logging objects you need to track bad actors on your site.
Cd&
ASKER
Thanks Cobol and Jason
Looks like an hack but without a real website to check...