hidden HTML code

My first edugeek forum question, so apologies if it is naive!

I work with schools and one has a sports website produced by an external company. The pages were triggering filters, the content you saw was fine, but when I looked at the HTML I found a chunk of code on all pages - mostly in the middle - here's a short extract....

href="http://www.mundoblack.com.br/Sporanox-blog.html">Sporanox</a><a href="http://www.capetranscribers.com/decoy-octopus-blog.html">decoy octopus</a><a href="http://www.usmegadeals.com/denver-housing-authority-jobs-blog.html">denver housing authority jobs</a><a href="http://shreesadhak.com/Discount-Alfacip-blog.html">Discount Alfacip</a><a href="http://shreesadhak.com/Lipvas-blog.html">Lipvas</a><a href="http://hrpress.org/black-tight-virgin-pussy-blog.html">black tight virgin pussy</a><a c

the urls varied page to page, if navigated to lots led to a site called blogorama & www.machinemove.co.uk/blog Cnn.com live / Wordpress

Obviously the school is asking their web company for an explanation, but I'm impatient. I have my theories, but I'd love to hear your ideas.

Thanks

Looks like the website has been compromised. Is the server secure?

I don't know where the site is hosted, I'm getting the school to find out. The code doesn't seem to affect the visible page at all. I just wondered what the lines of code did?

Well from the look of the links there well dodgy.

The code you show is HTML for creating a link:

Code:

---

<a href="www.google.com">Google</a>

---

The text between <a> and </a> is what is displayed on the page, so you should find the text "denver housing authority jobs" on the page somewhere.

How ever there may be some more code, CSS, that hides the text from the user. Many ways to display HTML on the page (In the HTML) but not in to the user.

that's the puzzle, none of the text shows on the web page and I can't find any hidden hyper linked areas.

This is the web site
Home www.emersonparkssp.co.uk
looks innocuous enough until you view the html

(incidentally if it is inapropoariate for me to give this URL on the forums please someone tell me!)

I wondered whether it was being used to
- hype someone elses URL up search result lists?
- used to generate hidden advertising revenue?

::looks::

The junk links are in a div called 'dtrv' and right after that is some lightly obsfucated jscript which is this:

document.getElementById('dtrv').innerHTML = '';

That is what makes all the junk invisible i.e. replaces all the junk in the div with '' (single quotes around nothing = nothing).

[Turn off javascript and you see it all]

that will show up to search bots as javascript isn't enabled on them... makes the webmaster unaware of there presence, but still adds to seo of sites.

So it's a compromised site and needs looking at asap.

which version of joomla are you running? My guess is that the site hasn't been upgraded to the latest joomla code and that's why it's been hacked.

this is always the problem with cms systems - and in my experience particualry joomla. You've got to keep up with the new releases.

I wanted to scan the page for malicious code but I couldn't get to it because of "profanity" according to EMBC.

If I were you I'd take the whole thing down, change the host password, put a temporary static page with the school contact numbers and either-

a) Upgrade the core distribution and get a professional to check through the database(s) and content for malicious code, especially cross-site scripting.

b) Nuke it and start again.

Check the versions of PHP and MySQL in use on the host. If it is shared hosting and you find these are legacy then inquire with the host if these can be upgraded (sometimes with PHP as an Apache module you have to specify newer versions of PHP within a .htaccess file so the host doesn't break older sites). If the host can't comply consider moving.

If you have a dedicated server get someone who knows what they are doing to upgrade MySQL, Apache and PHP at a minimum. Consider changing the MySQL root password and check for unexplained MySQL user accounts. Consider, if the database is on the same server as the website- do you need external access to the database? Do you have a firewall on the server and what ports are configured? Have you considered using something like DenyHosts to help block brute force attacks (you'd be surprised how many even a unimportant course website could get- even from hostnames within reputable company and University systems).

If you have a support package that is "maintaining" this Joomla website and hosting it- check the distribution and if it's not the latest or at least a couple of releases down from the latest then consider dumping that contract.

has anyone come across this before.. Not on topic but thought to mention it. code hidden in an image. I spent ages tracking down a particular link and eventually found it in image.jpg... sneaky website free templates..

Quote:

---

a) Upgrade the core distribution and get a professional to check through the database(s) and content for malicious code, especially cross-site scripting.

---

it's often impossible to go though the site and database removing code. You're best bet will be to restore from backup you have and fingers crossed you get a version without the hack.

Quote:

---

If you have a dedicated server get someone who knows what they are doing to upgrade MySQL, Apache and PHP at a minimum.

---

You sohuld just be able to run 'apt-get update && apt-get upgrade' or similar and it will install all the security patches you need to apache, mysql and php. The only problem you might have here is is you're running php4 rather then php5

Quote:

---

If you have a support package that is "maintaining" this Joomla website and hosting it- check the distribution and if it's not the latest or at least a couple of releases down from the latest then consider dumping that contract.

---

A couple of releases down is really no good. it needs to the latest full stop. Joomla is a very popular CMS and once new releases are out there seems to be a dedicated core of spammers who will seek out the sites that don't update and attack them. I know this from experience.

Also make sure that you don't have a big red warning about 'php register globals' in your admin panel. If you do then immediately fire the website design company.

can I just say what a wonderful bunch of people you are, you've given me so much to take forward. I really appreciate the help & advice.
:)

Quote:

---

Originally Posted by danbuntu

A couple of releases down is really no good. it needs to the latest full stop. Joomla is a very popular CMS and once new releases are out there seems to be a dedicated core of spammers who will seek out the sites that don't update and attack them. I know this from experience.

---

I agree that the absolute latest is a must- but we don't know what arrangements are in place for his support contract. Some hosts do lag considerably before upgrading client sites in order to "test". I am not condoning this practice, merely noting that many of the cheaper "all in one" bundles will take some time to catchup with CMS releases.

No doubt this is to avoid breaking client sites and/or plugins (which may well be a weakness here) which is in itself a laudable aim, if somewhat lacking security perspective.

If he is using a cheap hosted package that behaves in this way it may be reasonable to conclude that this model doesn't meet his needs, especially as the latest stable Joomla release is three months ago which I have to admit is longer than I had thought.

With regard to the ease of updating PHP, MySQL etc- the only reason I suggested someone who knows what they are doing is to ensure that everything served off the box is compatible with the latest versions, that the implications of updating or not updating are understand, and that the OP isn't left high and dry should something go wrong.

Setting up LAMP is not all that hard with practice, but it's a bit unfair to ask the OP to hit the ground running that fast.

On the other hand if the box only serves this web page and nothing else then at the moment he hasn't got a lot to lose.

There's nothing to stop the Op upgrading the site themselves. It's often just a case of upload some files and run a patch. Hopefully they either know how to do this themselves or have it written into the support contract with the design company. There should be no need to wait for the hosting company - indeed many hosting companies that offer easy installs of Joomla (or any other CMS) don't actually take responsibility for any upgrades or patches as they don't want to be responsible for breaking any custom code or modules.

People do this to increase page rank on google, if they have links on a site with a good page rank (EVEN IF IT DOESN'T SHOW), it will increase the links to the site and eventually... increase search engine rank and PR rank - like said above.

People can pay a lot if you have a good PR site, I've seen PR6 sites sell $50.00 for a link!