Crazy Links Appeared at Top of the Page
Permalink
Hi,
Some crazy looking links appear at top of one of of the pages.
The issue is a bit strange, first because it shows on large screens only, and second because it doesn't show to everyone with large screen. Do you have any idea why?
Some crazy looking links appear at top of one of of the pages.
The issue is a bit strange, first because it shows on large screens only, and second because it doesn't show to everyone with large screen. Do you have any idea why?
I think I'd look in the source to see where those links are pointing rather than clickin on them just in case. The most likely explanation is a markup error - but suddenly appearing links are a bit suspicious.
First answer, it does look like a hack here, you probably want to grep the code for those modifications (most likely in your theme).
Can you post the address of the website so we can have a check ?
Can you post the address of the website so we can have a check ?
Thank you for your responses,
Actually, I didn't notice at all. A client sent me a screenshot today, and I checked on bigger screen, so the problem was there. I checked other pages with the same page type and template (5.7.2), and everything was just fine.
However, I removed the page, and created a new one. Now everything seems fine on my machine but I'm not really sure cause it was fine even before the update.
Here is the link:
http://dijiciti.com/how-it-works-2...
Actually, I didn't notice at all. A client sent me a screenshot today, and I checked on bigger screen, so the problem was there. I checked other pages with the same page type and template (5.7.2), and everything was just fine.
However, I removed the page, and created a new one. Now everything seems fine on my machine but I'm not really sure cause it was fine even before the update.
Here is the link:
http://dijiciti.com/how-it-works-2...
I just got some feedback from system administrator. He says that we are getting this errors so much:
[Sun Dec 28 12:37:59 2014] [error] [client 180.76.5.145] PHP Fatal error: Call to undefined function _2117704563() in /var/www/html/dijiciti.com/truse/new.php on line 1 [Sun Dec 28 12:46:34 2014] [error] [client 66.249.69.126] PHP Fatal error: Call to undefined function _2117704563() in /var/www/html/dijiciti.com/truse/new.php on line 1 [Sun Dec 28 12:53:02 2014] [error] [client 180.76.6.151] PHP Fatal error: Call to undefined function _2117704563() in /var/www/html/dijiciti.com/truse/new.php on line 1 [Sun Dec 28 13:02:14 2014] [error] [client 66.249.69.158] PHP Fatal error: Call to undefined function _2117704563() in /var/www/html/dijiciti.com/truse/new.php on line 1 [Sun Dec 28 13:22:59 2014] [error] [client 180.76.5.146] PHP Fatal error: Call to undefined function _2117704563() in /var/www/html/dijiciti.com/truse/new.php on line 1
Are you sure this website did not get hacked?
that file sure does look suspicious, what is its content? (does not sound like a standard c5 file at all).
that file sure does look suspicious, what is its content? (does not sound like a standard c5 file at all).
Looks like we're officially hacked. I just don't get it. The website is still in development form, the theme is custom made and all scripts used on the website are legal and licensed.
Do you guys have any advices regarding the security issues, some best practices, permissions and stuff like that? That would be really helpful.
Btw I attached the source of the links.
Do you guys have any advices regarding the security issues, some best practices, permissions and stuff like that? That would be really helpful.
Btw I attached the source of the links.
Audit the files on the server to make sure the hack has left no back door scripts.
Change all your server, account, ftp and anything else connected with it passwords now.
Notify your host. If its a shared server, the hack could have come from other accounts on the server.
Check file permissions. Most web servers use 755 for directories and 644 for files.
Look critically at any other scripts you have on the server. Perhaps one of them has a weakness.
Change all your server, account, ftp and anything else connected with it passwords now.
Notify your host. If its a shared server, the hack could have come from other accounts on the server.
Check file permissions. Most web servers use 755 for directories and 644 for files.
Look critically at any other scripts you have on the server. Perhaps one of them has a weakness.
Just to cover all the bases, do you use an encrypted connection to connect to your site?
An example would be using SFTP instead of FTP.
An example would be using SFTP instead of FTP.
Have you used any third-party scripts like "add this" or any social media-integration hack that needed insertion of code to the header file?
I've seen strange hacky-JS-inserts from some cPanel-driven so-called "optimization"-applications.
I've seen strange hacky-JS-inserts from some cPanel-driven so-called "optimization"-applications.
No, not at all, From Javascript, I used iLightbox and Superslides plugins. No third party blocks or addons.
First of all, when investigating this it can be a mistake to assume it is a hack when it could be some other error that looks like a hack.
If it is a hack, then, though perhaps obvious, the first thing would be to look at your database to make sure the only admin user is the one you created.
Next stop is to start comparing files between a clean and hacked server to see what changed. The most common hacks are simply a modification of index.php through scripts uploaded via file upload areas, form submission pages, or a SQL injection exploit. For apache web server of course the .htaccess file is critical, and there are other config files that could be modified.
What is very valuable is what evidence is stored in the web server and PHP access and error logs. Once you can determine the date/time of the hack, it's fairly easy to find what changed on the server based on modification date/time of critical files. Most exploits are fairly 'noisy' and generate errors of some sort, and once you find the errors you can find the hack.
I would suspect that the attack vector is similar to what is used to attack WordPress, and some of the same basic hack-recovery steps apply, though some are WP specific:
http://codex.wordpress.org/FAQ_My_site_was_hacked...
http://ottopress.com/2009/hacked-wordpress-backdoors/...
The concern, of course, is if this is a skilled attacker, then they may have left a backdoor open.
This attack in your case looks fairly heavy-handed and obvious, so most likely its an automated attack of some sort.
Personally I have done a lot of work pen-testing my C5 test servers and I have a pretty good idea where the security weaknesses are. One of my (many) to-do items is to create and/or contribute to a hardening checklist for C5 in the coming year.
If it is a hack, then, though perhaps obvious, the first thing would be to look at your database to make sure the only admin user is the one you created.
Next stop is to start comparing files between a clean and hacked server to see what changed. The most common hacks are simply a modification of index.php through scripts uploaded via file upload areas, form submission pages, or a SQL injection exploit. For apache web server of course the .htaccess file is critical, and there are other config files that could be modified.
What is very valuable is what evidence is stored in the web server and PHP access and error logs. Once you can determine the date/time of the hack, it's fairly easy to find what changed on the server based on modification date/time of critical files. Most exploits are fairly 'noisy' and generate errors of some sort, and once you find the errors you can find the hack.
I would suspect that the attack vector is similar to what is used to attack WordPress, and some of the same basic hack-recovery steps apply, though some are WP specific:
http://codex.wordpress.org/FAQ_My_site_was_hacked...
http://ottopress.com/2009/hacked-wordpress-backdoors/...
The concern, of course, is if this is a skilled attacker, then they may have left a backdoor open.
This attack in your case looks fairly heavy-handed and obvious, so most likely its an automated attack of some sort.
Personally I have done a lot of work pen-testing my C5 test servers and I have a pretty good idea where the security weaknesses are. One of my (many) to-do items is to create and/or contribute to a hardening checklist for C5 in the coming year.
What address (or addresses) are the links pointing to?
When did you first see them?