homepage Welcome to WebmasterWorld Guest from 54.226.191.80
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Google / Google AdSense
Forum Library, Charter, Moderators: incrediBILL & jatar k & martinibuster

Google AdSense Forum

This 50 message thread spans 2 pages: 50 ( [1] 2 > >     
Adsense by a hacker?
morpheus83




msg:1409974
 9:11 am on Jul 20, 2005 (gmt 0)

Was browsing through my site and noticed a 300 x 250 adsense box at the bottom of the page Which I had not inserted. The publisher code was not mine. When I refreshed the page the ad was gone. This has happened thrice now it seems someone has managed to hack my site and inserted the code or can it be spyware? What action can I take? Report the publisher id to google.

 

John Carpenter




msg:1409975
 9:22 am on Jul 20, 2005 (gmt 0)

Are you using free web hosting?

Marcia




msg:1409976
 9:25 am on Jul 20, 2005 (gmt 0)

I would grab documentation and report it.

roldar




msg:1409977
 9:27 am on Jul 20, 2005 (gmt 0)

Check your source code... if you're right the person probably had brains enough to make it something that only appears 1/x times, so as not to attract your attention. Hit the reload button a few times and see if it pops up again.

morpheus83




msg:1409978
 9:34 am on Jul 20, 2005 (gmt 0)

It is not on free hosting. I cant figure out how he has done the scripting so that it appears only once. As I dont see any extra code besides the adsense code.

EVOrange




msg:1409979
 9:35 am on Jul 20, 2005 (gmt 0)

It's not a graphic ad or cpm spot maybe?

EVO

roldar




msg:1409980
 9:42 am on Jul 20, 2005 (gmt 0)

If it was server side scripting (php, asp) there would be no evidence in the html/javascript output -- it would just show up occasionally.

morpheus83




msg:1409981
 9:47 am on Jul 20, 2005 (gmt 0)

Yes I have checked the pages also no such dynamic code. It is however time capped as it shows to a particular IP only once every 12 - 24 hours.

whizkiddo




msg:1409982
 9:51 am on Jul 20, 2005 (gmt 0)

no its not a graphic ad. it comes at the worse spot possible near the bottom of the page and distorts the design of the page as well. Have a screenshot - will post it but wont serve any purpose - got a PSA in this time but we got the publisher ID. will complaint to Google but what can they do? they certainly wont reveal his ID. i wish i cud get my hands on such content suckers. its even more disgusting then copying content and using adsense on them.

Tropical Island




msg:1409983
 2:05 pm on Jul 20, 2005 (gmt 0)

Google should be able to identify by the website who has placed ad code on it. I'm sure they must track this in their system.

Jenstar




msg:1409984
 2:36 pm on Jul 20, 2005 (gmt 0)

Did you do a spyware/adware sweep of your computer to be certain? Once you have done that, grab the screenshot, the sourcecode when the second ad appears and send an email off to the AdSense Team.

You can also check your host and see if there were any ftp logins that were not you, and check the dates via FTP on those pages, to see if they are different than they should be.

caran1




msg:1409985
 2:55 pm on Jul 20, 2005 (gmt 0)

how reliable is your hosting company? for how long has your website been hosted with them?

mvander




msg:1409986
 2:57 pm on Jul 20, 2005 (gmt 0)

Do you have your own adsense code on the page as well? Double check the pub-id make sure they aren't messing with that also.

Sobriquet




msg:1409987
 6:27 pm on Jul 20, 2005 (gmt 0)

1) upload your pages again, change your ftp password
2) if possible, change your host.

I had complained about my host to google for using adsense of error404 pages, they took NO action. i changed my host and my earnings improved.

I learnt that it is better to safeguard your own interest.

EVOrange




msg:1409988
 6:32 pm on Jul 20, 2005 (gmt 0)

morpheus83, will you please keep this thread posted on what you find out. It's something we can all learn from.
Thanks.

EVO

activeco




msg:1409989
 7:41 pm on Jul 20, 2005 (gmt 0)

Not a typical symptom, but could be a virus too.
Check your system thoroughly.

By a stealware you don't even notice something's wrong.
The code is changed on the fly and your click is credited to someone else.
Pity, but noone except webmasters cares about it.
Advertiser gets a lead, Google gets a click, everybody wins.
Well... almost everybody.

morpheus83




msg:1409990
 4:01 am on Jul 21, 2005 (gmt 0)

It isnt spyware on my PC as I have tried on other PC's too. Host is quiet reliable one of the best in the industry. I have double checked the publisher id and it is not mine.
It seems I have found the source of this. It is a script of a third party email to friend script. I will run a few more tests and then confirm it. Is it ok to post the name of the company doing this? As I feel everyone must be aware of this.

Lex_Luther




msg:1409991
 4:51 am on Jul 21, 2005 (gmt 0)

Very scary situation and I would really like to see the depth of this. I hope you will post the company.

Thanks

morpheus83




msg:1409992
 5:32 am on Jul 21, 2005 (gmt 0)

Sorry I cant post the name of the company. It is against the rules of the forum.

frox




msg:1409993
 5:36 am on Jul 21, 2005 (gmt 0)

Well, this really sucks.
I would love to see them named.

Please DO report them to Adsense, this is clearly a thievery and out of the TOS, as you cannot


(vi) directly or indirectly access, launch and/or activate Ads, ... in, any ... other means other than Your Site(s) ...

Plus, I can't imagine the consequences of having your website linked to a banned website or account by means of their publisher ID

Add the paranoia they have inflicted on you, and the loss of time they caused to you.

I am usually less harsh but in this case they deserve to be punished at full extent.

eddy22




msg:1409994
 5:41 am on Jul 21, 2005 (gmt 0)

Is it possible someone is playing mischief with your account and another publisher account.
Both of u may be innocent. Check with your hosting company.

incrediBILL




msg:1409995
 6:22 am on Jul 21, 2005 (gmt 0)

If you have a real hacker on your hands, which would open up a custom injected shell (assuming you're on some version of *Nix) via some outdated software with buffer overflow vulnerabilities there may be no trace whatsoever as there would be no FTP log, no SSH log, nor would it show up in the shell history.

First, via FTP sort the files on the server by date and anything recently modified will be immediately obvious.

If you're hacked, remove the code and set a trap in the event they come back.

You'll want your ISP to change a few files with "chattr +i *" which sets the immutable bit. Basically this means that nobody can alter the file unless you remove the immutable bit "chattr -i *" and this can't be done via FTP, only via the command shell. If you find new code injected back into your pages then you know they have unrestricted shell access via some vulnerability and it's a complete hack, you're not in control of the box at all.

Lex_Luther




msg:1409996
 6:57 am on Jul 21, 2005 (gmt 0)

It will be interesting to see what G's reply will be, surely this hacker would be in the UPS level.

twist




msg:1409997
 7:21 am on Jul 21, 2005 (gmt 0)

I use pair hosting and if you use their shared account, just like on most shared servers, everybody on your server can read your files. For pair you have to set up cgi-wrap which allows you to keep prying eyes out. When I first heard about this I decided to test the theory and looked at some other peoples accounts. When people install progams like phpMyAdmin they must use a plain text password to connect to the database. I was able to browse through many peoples accounts and read their most complicated passwords with ease. This could have happened to you at an old host and the person could have kept track of your and many others passwords. I would suggest first securing your server and coming up with a few new complicated passwords. Stop using all old passwords you have used in the past.

Another possibility is that you use the same password you use on forums as you do on your ftp or website. There is nothing stopping a person who is running a forum from collecting the passwords people use to sign up for the forums. Lets say you signed up for a forum where you promoted your website and when you signed up you used the same password for the forum as you use for your website account. Same principal could be applied to free email accounts or free website accounts, you get the picture.

flyerguy




msg:1409998
 8:15 am on Jul 21, 2005 (gmt 0)

Don't know if you are on a Windows server, here goes anyways:

I happened to notice a couple -slightly- suspicious files on the root of my IIS server a couple months back, with names like 'hacked.htm', 'el1tegr0up.htm' etc.

Turns out somewhere along the line I had loosened up the site permissions, allowing site 'write' and remote scripts & executables to be run by IUSER. There is a very well known exploit that will let the anon user do basically what they want.. in my case, I was extremely lucky that the default permissions of files created by the IUSER account were set to 'no-read, no-write'.

So, they could manage to upload their hack pages with scripts and all kinds of goodies, but could not access them (permission denied). It's just one more toggle on the security to loosen it to the critical point, and apparently many many people were hit by this one.

Someone with this type of access could very easily pull a covert Adsense highjack.

Do a search for 'IIS 6 Remote Buffer Overflow Exploit'

morpheus83




msg:1409999
 8:31 am on Jul 21, 2005 (gmt 0)

I made a backup of a page with the Email a friend code and one without. The page with the Email a friend code displays adsense in the exact same position where the code is put.
This is the code
<script src="http://xyz.com/s/?ID=3123&SL=http://www.xyz.com/images/announce.gif"></script>
<noscript>
<a href=http://www.xyz.com/p?ID=3123>Tell a friend</a>
</noscript>
Just to inform what this code did. It inserted a 300 x 250 adsense ad which would appear only once to a single IP per 12 hours. Of course the publisher id was of the spyware company.

Freedom




msg:1410000
 8:55 am on Jul 21, 2005 (gmt 0)

And what is Google's reply? I'm curious to know if they will take some action on this or let it slip between the cracks.

frox




msg:1410001
 8:56 am on Jul 21, 2005 (gmt 0)

Yikes...

the <script src="announce.gif"> trick is really nasty.

the server usually serves an image, but can decide to serve a javascript...

ZoneMR




msg:1410002
 9:36 am on Jul 21, 2005 (gmt 0)

I doubt Google will, or even should do anything about it.

Your account didn't get hacked. You chose to install an advertising-supported script.

If the author of the script wasn't upfront and didn't clearly state that the script is ad supported, then it's a dishonest practice, but I'm not sure if it violates Google's TOS.

If you choose to copy+paste 3rd party code onto your site, you should at least read through the code to make sure it doesn't have any 'surprise features' like this.

frox




msg:1410003
 10:09 am on Jul 21, 2005 (gmt 0)


I'm not sure if it violates Google's TOS.

as far as I understand it, you cannot put Adsense on someone else's site:


other means other than Your Site(s)

and yes, the very pertinent question is: did the author say it was an ads-supported script?

morpheus83, could you pleas sticky mail me the URL of the script?

This 50 message thread spans 2 pages: 50 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdSense
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved