Mystery Code
June 11, 2010 11:59 AM

Was this site hacked? How? How does it work?

I was looking at a website of a fairly well known designer. The site was extremely simple - it's just a big auto play flash slide show of the designer's work, and their name and address on top of the slideshow.

I tried clicking around, but there was nothing to click on the site. It just plays the slideshow, and has contact information.

Just for fun I looked at the source code for the page--
The top part was normal, at least what I would expect for a site with a flash slideshow, but then at the bottom there was all these links for spam sites.
(Please see screen shot)

So, why is this strange code there? Is it intentional? If not, how was it malaciously inserted? And what does it even do? As far as I can tell, you could never click on any of these links from the site itself.

Finally, if it is a hack, how do you fix or prevent this kind of attack?
posted by bonsai forest to Computers & Internet (18 answers total) 4 users marked this as a favorite
It looks like a SQL injection attack. There are a number of ways to prevent these attacks from being successful but they're dependent upon the database system you use as well as the programming language.

In a nutshell you either want to make sure you remove anything that looks like SQL code from information submitted via your website or you send information to your database in discreet chucks so there is no room for misunderstanding.
posted by talkingmuffin at 12:05 PM on June 11, 2010


Yeah, almost certainly hacked. The attackers inserted these links into the code without much regard for the structure of the page. That the links are not visible is a good thing, but it's accidental and undesired from the point of view of the attackers.

As to how the links got there? There are all kinds of ways to get malicious code onto a website and a similarly diverse number of ways to prevent it. As mentioned, SQL injection is one common mechanism, but there are others.
posted by jedicus at 12:07 PM on June 11, 2010


The invisibility looks intentional to me; presumably the hope is that the extra linkage will raise the google rank of the targeted sites, and the invisibility will delay discovery and removal of the links.

talkingmuffin, why does it look like SQL injection to you?
posted by hattifattener at 12:14 PM on June 11, 2010


So what do the links do? As I mentioned, there is no way to see them, let alone click them, (as far as i could tell) without looking at the source code. What is a hack like this accomplishing?

Would contacting the site host be the way to address a hack like this (assuming you are not web/code savvy?)
posted by bonsai forest at 12:17 PM on June 11, 2010


(I didn't preview to see hattifattener's answer before posting my last comment)
posted by bonsai forest at 12:19 PM on June 11, 2010


Would contacting the site host be the way to address a hack like this (assuming you are not web/code savvy?)

Yeah, you'd probably want to notify the host, since the vulnerability might ultimately be on their end.
posted by jedicus at 12:19 PM on June 11, 2010


Very rarely, people will do this deliberately, someone will sign up for a "really discrete link exchange program" or something silly.

In general though, ya, it's probably a hack. Could be a vulnerable application (SQL injection, remote code execution) or some manner of vulnerable shared hosting environment.
posted by Matt Oneiros at 12:20 PM on June 11, 2010


As for why, my understanding is that this is what spammers do now, instead of leaving spam comments on blogs.

The flood of spam blog comments has largely been defeated by A) successful plug-ins like Akismet, and B) ref=nofollow, which every blog in the world uses now. Ref=nofollow basically removes any Google juice from the URL, thus defeating the reason for posting it.

The more sites that link to your site, the more Google juice it gets. The links don't have to be clickable by humans for this to work. They just need to be readable by search engines.
posted by ErikaB at 12:22 PM on June 11, 2010


the reason you can't see or click on it is because of the "display: none" in the tags.

:)
posted by royalsong at 12:29 PM on June 11, 2010


I don't suppose there's any chance the designer fell prey to some black-hat SEO "consultant" when the website was built? This also kind of looks like link farming.
posted by Thorzdad at 12:54 PM on June 11, 2010


The invisibleness isn't unintentional (that's why they say display:none). I'm not convinced of an sql attack either. The first set of links appears after the close of head and before the start of body, there shouldn't be anything there so there should be no need for anything to be pulled from the db there. They also appear again in the noscript, it feels more deliberate to me but without seeing the actual site its hard to say.
posted by missmagenta at 1:19 PM on June 11, 2010


It's black SEO, to drive up the linked sites' PageRank. If the site owner did his own design, as you say, then it almost had to be put there illegally. The owner needs to be notified, take his site down, scrub all the SEO links, search his HTTP & SQL logs for forensic evidence of what was done, use that info to find & fix the hole they used (plus look for backdoors that may have been inserted for easy reentry) & put the site back up.
posted by scalefree at 2:04 PM on June 11, 2010


Definitely not a SQL injection. If it was not put there by the designer, then what happened was some other site on the same shared host was compromised and his file permissions were set incorrectly which allowed the other user to modify the HTML. I'm basing this on the assumption that if the site is as you describe, it's composed of a single static HTML file, not anything dynamic like a blog or whatnot.

But it could also be one of those "link exchange" scams that some people fall for. The sell is that in return for linking to a bunch of sites, you also get incoming links, which ostensibly increases the PR of everyone involved. Except Google is generally smart enough to catch on to these rings and nuke everyone involved.

What is the PageRank of the site?
posted by Rhomboid at 2:12 PM on June 11, 2010


And as to the fix, set permissions correctly on files and directories on your shared host, generally 644 and 755 resp.
posted by Rhomboid at 2:15 PM on June 11, 2010


The page rank is '5'

there is nothing dynamic to the site except that it is an autoplaying slideshow.
posted by bonsai forest at 2:22 PM on June 11, 2010


And as to the fix, set permissions correctly on files and directories on your shared host, generally 644 and 755 resp.

Yeah I was gonna suggest that could be the cause too. Good catch.
posted by scalefree at 3:45 PM on June 11, 2010


Thank you all - i will contact the site owner to let them know - it's good to have the additional info you all have provided.
posted by bonsai forest at 12:29 AM on June 12, 2010


I've visited a few of the linked sites and they look like real pages (no telling for sure these days) and they are also infested with invisible link fungus. All the links to a "go.php" page, located in random directories. My guess is someone is exploiting a php bug and is hitting older sites run by small time operators that don't have the IT staff to keep up to date.
posted by chairface at 8:07 AM on June 12, 2010


« Older Great Chefs (Groan-inducing theme song) ?   |   A vegetarian Jedi and a diabetic Kilrathi walk... Newer »
This thread is closed to new comments.