+ Post New Thread
Results 1 to 15 of 15
Web Development Thread, hidden HTML code in Coding and Web Development; My first edugeek forum question, so apologies if it is naive! I work with schools and one has a sports ...
  1. #1
    pap
    pap is offline
    pap's Avatar
    Join Date
    Feb 2010
    Location
    London
    Posts
    7
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0

    hidden HTML code

    My first edugeek forum question, so apologies if it is naive!

    I work with schools and one has a sports website produced by an external company. The pages were triggering filters, the content you saw was fine, but when I looked at the HTML I found a chunk of code on all pages - mostly in the middle - here's a short extract....

    href="http://www.mundoblack.com.br/Sporanox-blog.html">Sporanox</a><a href="http://www.capetranscribers.com/decoy-octopus-blog.html">decoy octopus</a><a href="http://www.usmegadeals.com/denver-housing-authority-jobs-blog.html">denver housing authority jobs</a><a href="http://shreesadhak.com/Discount-Alfacip-blog.html">Discount Alfacip</a><a href="http://shreesadhak.com/Lipvas-blog.html">Lipvas</a><a href="http://hrpress.org/black-tight-virgin-pussy-blog.html">black tight virgin pussy</a><a c

    the urls varied page to page, if navigated to lots led to a site called blogorama & www.machinemove.co.uk/blog Cnn.com live / Wordpress

    Obviously the school is asking their web company for an explanation, but I'm impatient. I have my theories, but I'd love to hear your ideas.

    Thanks
    Last edited by pap; 19th February 2010 at 10:21 PM. Reason: correct site link in last but one para

  2. #2

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,136
    Thank Post
    1,913
    Thanked 1,345 Times in 743 Posts
    Blog Entries
    3
    Rep Power
    395
    Looks like the website has been compromised. Is the server secure?

  3. Thanks to tech_guy from:

    pap (19th February 2010)

  4. #3
    pap
    pap is offline
    pap's Avatar
    Join Date
    Feb 2010
    Location
    London
    Posts
    7
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I don't know where the site is hosted, I'm getting the school to find out. The code doesn't seem to affect the visible page at all. I just wondered what the lines of code did?

  5. #4

    Join Date
    Apr 2006
    Location
    UK
    Posts
    939
    Thank Post
    39
    Thanked 70 Times in 54 Posts
    Rep Power
    29
    Well from the look of the links there well dodgy.

    The code you show is HTML for creating a link:

    Code:
    <a href="www.google.com">Google</a>
    The text between <a> and </a> is what is displayed on the page, so you should find the text "denver housing authority jobs" on the page somewhere.

    How ever there may be some more code, CSS, that hides the text from the user. Many ways to display HTML on the page (In the HTML) but not in to the user.

  6. Thanks to danIT from:

    pap (19th February 2010)

  7. #5
    pap
    pap is offline
    pap's Avatar
    Join Date
    Feb 2010
    Location
    London
    Posts
    7
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0
    that's the puzzle, none of the text shows on the web page and I can't find any hidden hyper linked areas.

    This is the web site
    Home www.emersonparkssp.co.uk
    looks innocuous enough until you view the html

    (incidentally if it is inapropoariate for me to give this URL on the forums please someone tell me!)

    I wondered whether it was being used to
    - hype someone elses URL up search result lists?
    - used to generate hidden advertising revenue?
    Last edited by pap; 19th February 2010 at 10:45 PM. Reason: to make URL visible as text

  8. #6

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    ::looks::

    The junk links are in a div called 'dtrv' and right after that is some lightly obsfucated jscript which is this:

    document.getElementById('dtrv').innerHTML = '';

    That is what makes all the junk invisible i.e. replaces all the junk in the div with '' (single quotes around nothing = nothing).

    [Turn off javascript and you see it all]
    Last edited by PiqueABoo; 20th February 2010 at 12:54 AM.

  9. Thanks to PiqueABoo from:

    pap (20th February 2010)

  10. #7
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    that will show up to search bots as javascript isn't enabled on them... makes the webmaster unaware of there presence, but still adds to seo of sites.

    So it's a compromised site and needs looking at asap.

  11. Thanks to mossj from:

    pap (20th February 2010)

  12. #8
    danbuntu's Avatar
    Join Date
    Dec 2009
    Location
    Maidstone, Kent
    Posts
    297
    Thank Post
    0
    Thanked 53 Times in 50 Posts
    Rep Power
    19
    which version of joomla are you running? My guess is that the site hasn't been upgraded to the latest joomla code and that's why it's been hacked.

    this is always the problem with cms systems - and in my experience particualry joomla. You've got to keep up with the new releases.

  13. Thanks to danbuntu from:

    pap (21st February 2010)

  14. #9
    pwds's Avatar
    Join Date
    Dec 2008
    Location
    Derby
    Posts
    279
    Thank Post
    73
    Thanked 48 Times in 38 Posts
    Rep Power
    20
    I wanted to scan the page for malicious code but I couldn't get to it because of "profanity" according to EMBC.

    If I were you I'd take the whole thing down, change the host password, put a temporary static page with the school contact numbers and either-

    a) Upgrade the core distribution and get a professional to check through the database(s) and content for malicious code, especially cross-site scripting.

    b) Nuke it and start again.

    Check the versions of PHP and MySQL in use on the host. If it is shared hosting and you find these are legacy then inquire with the host if these can be upgraded (sometimes with PHP as an Apache module you have to specify newer versions of PHP within a .htaccess file so the host doesn't break older sites). If the host can't comply consider moving.

    If you have a dedicated server get someone who knows what they are doing to upgrade MySQL, Apache and PHP at a minimum. Consider changing the MySQL root password and check for unexplained MySQL user accounts. Consider, if the database is on the same server as the website- do you need external access to the database? Do you have a firewall on the server and what ports are configured? Have you considered using something like DenyHosts to help block brute force attacks (you'd be surprised how many even a unimportant course website could get- even from hostnames within reputable company and University systems).

    If you have a support package that is "maintaining" this Joomla website and hosting it- check the distribution and if it's not the latest or at least a couple of releases down from the latest then consider dumping that contract.

  15. Thanks to pwds from:

    pap (22nd February 2010)

  16. #10
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    19
    has anyone come across this before.. Not on topic but thought to mention it. code hidden in an image. I spent ages tracking down a particular link and eventually found it in image.jpg... sneaky website free templates..

  17. #11
    danbuntu's Avatar
    Join Date
    Dec 2009
    Location
    Maidstone, Kent
    Posts
    297
    Thank Post
    0
    Thanked 53 Times in 50 Posts
    Rep Power
    19
    a) Upgrade the core distribution and get a professional to check through the database(s) and content for malicious code, especially cross-site scripting.
    it's often impossible to go though the site and database removing code. You're best bet will be to restore from backup you have and fingers crossed you get a version without the hack.

    If you have a dedicated server get someone who knows what they are doing to upgrade MySQL, Apache and PHP at a minimum.
    You sohuld just be able to run 'apt-get update && apt-get upgrade' or similar and it will install all the security patches you need to apache, mysql and php. The only problem you might have here is is you're running php4 rather then php5

    If you have a support package that is "maintaining" this Joomla website and hosting it- check the distribution and if it's not the latest or at least a couple of releases down from the latest then consider dumping that contract.
    A couple of releases down is really no good. it needs to the latest full stop. Joomla is a very popular CMS and once new releases are out there seems to be a dedicated core of spammers who will seek out the sites that don't update and attack them. I know this from experience.

    Also make sure that you don't have a big red warning about 'php register globals' in your admin panel. If you do then immediately fire the website design company.

  18. Thanks to danbuntu from:

    pap (22nd February 2010)

  19. #12
    pap
    pap is offline
    pap's Avatar
    Join Date
    Feb 2010
    Location
    London
    Posts
    7
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Smile

    can I just say what a wonderful bunch of people you are, you've given me so much to take forward. I really appreciate the help & advice.

  20. #13
    pwds's Avatar
    Join Date
    Dec 2008
    Location
    Derby
    Posts
    279
    Thank Post
    73
    Thanked 48 Times in 38 Posts
    Rep Power
    20
    Quote Originally Posted by danbuntu View Post
    A couple of releases down is really no good. it needs to the latest full stop. Joomla is a very popular CMS and once new releases are out there seems to be a dedicated core of spammers who will seek out the sites that don't update and attack them. I know this from experience.
    I agree that the absolute latest is a must- but we don't know what arrangements are in place for his support contract. Some hosts do lag considerably before upgrading client sites in order to "test". I am not condoning this practice, merely noting that many of the cheaper "all in one" bundles will take some time to catchup with CMS releases.

    No doubt this is to avoid breaking client sites and/or plugins (which may well be a weakness here) which is in itself a laudable aim, if somewhat lacking security perspective.

    If he is using a cheap hosted package that behaves in this way it may be reasonable to conclude that this model doesn't meet his needs, especially as the latest stable Joomla release is three months ago which I have to admit is longer than I had thought.

    With regard to the ease of updating PHP, MySQL etc- the only reason I suggested someone who knows what they are doing is to ensure that everything served off the box is compatible with the latest versions, that the implications of updating or not updating are understand, and that the OP isn't left high and dry should something go wrong.

    Setting up LAMP is not all that hard with practice, but it's a bit unfair to ask the OP to hit the ground running that fast.

    On the other hand if the box only serves this web page and nothing else then at the moment he hasn't got a lot to lose.

  21. Thanks to pwds from:

    pap (1st March 2010)

  22. #14
    danbuntu's Avatar
    Join Date
    Dec 2009
    Location
    Maidstone, Kent
    Posts
    297
    Thank Post
    0
    Thanked 53 Times in 50 Posts
    Rep Power
    19
    There's nothing to stop the Op upgrading the site themselves. It's often just a case of upload some files and run a patch. Hopefully they either know how to do this themselves or have it written into the support contract with the design company. There should be no need to wait for the hosting company - indeed many hosting companies that offer easy installs of Joomla (or any other CMS) don't actually take responsibility for any upgrades or patches as they don't want to be responsible for breaking any custom code or modules.

  23. Thanks to danbuntu from:

    pap (1st March 2010)

  24. #15
    dwhyte85's Avatar
    Join Date
    Mar 2009
    Location
    Berkshire
    Posts
    1,219
    Thank Post
    159
    Thanked 147 Times in 132 Posts
    Rep Power
    103
    People do this to increase page rank on google, if they have links on a site with a good page rank (EVEN IF IT DOESN'T SHOW), it will increase the links to the site and eventually... increase search engine rank and PR rank - like said above.

    People can pay a lot if you have a good PR site, I've seen PR6 sites sell $50.00 for a link!
    Last edited by dwhyte85; 22nd February 2010 at 11:35 AM. Reason: Missed mossj's post... oops

  25. Thanks to dwhyte85 from:

    pap (1st March 2010)

SHARE:
+ Post New Thread

Similar Threads

  1. [Pics] Hidden treasures!
    By theeldergeek in forum Jokes/Interweb Things
    Replies: 3
    Last Post: 11th December 2009, 09:08 PM
  2. Embedded HTML code generator
    By leco in forum How do you do....it?
    Replies: 4
    Last Post: 7th December 2009, 04:11 PM
  3. Folders Becoming Hidden?
    By ICT_GUY in forum Windows Vista
    Replies: 1
    Last Post: 27th April 2009, 03:19 PM
  4. Cd Hidden Data
    By StewartKnight in forum Hardware
    Replies: 6
    Last Post: 7th November 2005, 10:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •