Welcome to WebmasterWorld Guest from 54.166.87.123

Forum Moderators: incrediBILL & martinibuster

Message Too Old, No Replies

Adsense by a hacker?

   
9:11 am on Jul 20, 2005 (gmt 0)

10+ Year Member



Was browsing through my site and noticed a 300 x 250 adsense box at the bottom of the page Which I had not inserted. The publisher code was not mine. When I refreshed the page the ad was gone. This has happened thrice now it seems someone has managed to hack my site and inserted the code or can it be spyware? What action can I take? Report the publisher id to google.
9:22 am on Jul 20, 2005 (gmt 0)

5+ Year Member



Are you using free web hosting?
9:25 am on Jul 20, 2005 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I would grab documentation and report it.
9:27 am on Jul 20, 2005 (gmt 0)

10+ Year Member



Check your source code... if you're right the person probably had brains enough to make it something that only appears 1/x times, so as not to attract your attention. Hit the reload button a few times and see if it pops up again.
9:34 am on Jul 20, 2005 (gmt 0)

10+ Year Member



It is not on free hosting. I cant figure out how he has done the scripting so that it appears only once. As I dont see any extra code besides the adsense code.
9:35 am on Jul 20, 2005 (gmt 0)

10+ Year Member



It's not a graphic ad or cpm spot maybe?

EVO

9:42 am on Jul 20, 2005 (gmt 0)

10+ Year Member



If it was server side scripting (php, asp) there would be no evidence in the html/javascript output -- it would just show up occasionally.
9:47 am on Jul 20, 2005 (gmt 0)

10+ Year Member



Yes I have checked the pages also no such dynamic code. It is however time capped as it shows to a particular IP only once every 12 - 24 hours.
9:51 am on Jul 20, 2005 (gmt 0)

10+ Year Member



no its not a graphic ad. it comes at the worse spot possible near the bottom of the page and distorts the design of the page as well. Have a screenshot - will post it but wont serve any purpose - got a PSA in this time but we got the publisher ID. will complaint to Google but what can they do? they certainly wont reveal his ID. i wish i cud get my hands on such content suckers. its even more disgusting then copying content and using adsense on them.
2:05 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Senior Member tropical_island is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Google should be able to identify by the website who has placed ad code on it. I'm sure they must track this in their system.
2:36 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Senior Member jenstar is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Did you do a spyware/adware sweep of your computer to be certain? Once you have done that, grab the screenshot, the sourcecode when the second ad appears and send an email off to the AdSense Team.

You can also check your host and see if there were any ftp logins that were not you, and check the dates via FTP on those pages, to see if they are different than they should be.

2:55 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



how reliable is your hosting company? for how long has your website been hosted with them?
2:57 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



Do you have your own adsense code on the page as well? Double check the pub-id make sure they aren't messing with that also.
6:27 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



1) upload your pages again, change your ftp password
2) if possible, change your host.

I had complained about my host to google for using adsense of error404 pages, they took NO action. i changed my host and my earnings improved.

I learnt that it is better to safeguard your own interest.

6:32 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



morpheus83, will you please keep this thread posted on what you find out. It's something we can all learn from.
Thanks.

EVO

7:41 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



Not a typical symptom, but could be a virus too.
Check your system thoroughly.

By a stealware you don't even notice something's wrong.
The code is changed on the fly and your click is credited to someone else.
Pity, but noone except webmasters cares about it.
Advertiser gets a lead, Google gets a click, everybody wins.
Well... almost everybody.

4:01 am on Jul 21, 2005 (gmt 0)

10+ Year Member



It isnt spyware on my PC as I have tried on other PC's too. Host is quiet reliable one of the best in the industry. I have double checked the publisher id and it is not mine.
It seems I have found the source of this. It is a script of a third party email to friend script. I will run a few more tests and then confirm it. Is it ok to post the name of the company doing this? As I feel everyone must be aware of this.
4:51 am on Jul 21, 2005 (gmt 0)

10+ Year Member



Very scary situation and I would really like to see the depth of this. I hope you will post the company.

Thanks

5:32 am on Jul 21, 2005 (gmt 0)

10+ Year Member



Sorry I cant post the name of the company. It is against the rules of the forum.
5:36 am on Jul 21, 2005 (gmt 0)

10+ Year Member



Well, this really sucks.
I would love to see them named.

Please DO report them to Adsense, this is clearly a thievery and out of the TOS, as you cannot


(vi) directly or indirectly access, launch and/or activate Ads, ... in, any ... other means other than Your Site(s) ...

Plus, I can't imagine the consequences of having your website linked to a banned website or account by means of their publisher ID

Add the paranoia they have inflicted on you, and the loss of time they caused to you.

I am usually less harsh but in this case they deserve to be punished at full extent.

5:41 am on Jul 21, 2005 (gmt 0)

10+ Year Member



Is it possible someone is playing mischief with your account and another publisher account.
Both of u may be innocent. Check with your hosting company.
6:22 am on Jul 21, 2005 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you have a real hacker on your hands, which would open up a custom injected shell (assuming you're on some version of *Nix) via some outdated software with buffer overflow vulnerabilities there may be no trace whatsoever as there would be no FTP log, no SSH log, nor would it show up in the shell history.

First, via FTP sort the files on the server by date and anything recently modified will be immediately obvious.

If you're hacked, remove the code and set a trap in the event they come back.

You'll want your ISP to change a few files with "chattr +i *" which sets the immutable bit. Basically this means that nobody can alter the file unless you remove the immutable bit "chattr -i *" and this can't be done via FTP, only via the command shell. If you find new code injected back into your pages then you know they have unrestricted shell access via some vulnerability and it's a complete hack, you're not in control of the box at all.

6:57 am on Jul 21, 2005 (gmt 0)

10+ Year Member



It will be interesting to see what G's reply will be, surely this hacker would be in the UPS level.
7:21 am on Jul 21, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I use pair hosting and if you use their shared account, just like on most shared servers, everybody on your server can read your files. For pair you have to set up cgi-wrap which allows you to keep prying eyes out. When I first heard about this I decided to test the theory and looked at some other peoples accounts. When people install progams like phpMyAdmin they must use a plain text password to connect to the database. I was able to browse through many peoples accounts and read their most complicated passwords with ease. This could have happened to you at an old host and the person could have kept track of your and many others passwords. I would suggest first securing your server and coming up with a few new complicated passwords. Stop using all old passwords you have used in the past.

Another possibility is that you use the same password you use on forums as you do on your ftp or website. There is nothing stopping a person who is running a forum from collecting the passwords people use to sign up for the forums. Lets say you signed up for a forum where you promoted your website and when you signed up you used the same password for the forum as you use for your website account. Same principal could be applied to free email accounts or free website accounts, you get the picture.

8:15 am on Jul 21, 2005 (gmt 0)

10+ Year Member



Don't know if you are on a Windows server, here goes anyways:

I happened to notice a couple -slightly- suspicious files on the root of my IIS server a couple months back, with names like 'hacked.htm', 'el1tegr0up.htm' etc.

Turns out somewhere along the line I had loosened up the site permissions, allowing site 'write' and remote scripts & executables to be run by IUSER. There is a very well known exploit that will let the anon user do basically what they want.. in my case, I was extremely lucky that the default permissions of files created by the IUSER account were set to 'no-read, no-write'.

So, they could manage to upload their hack pages with scripts and all kinds of goodies, but could not access them (permission denied). It's just one more toggle on the security to loosen it to the critical point, and apparently many many people were hit by this one.

Someone with this type of access could very easily pull a covert Adsense highjack.

Do a search for 'IIS 6 Remote Buffer Overflow Exploit'

8:31 am on Jul 21, 2005 (gmt 0)

10+ Year Member



I made a backup of a page with the Email a friend code and one without. The page with the Email a friend code displays adsense in the exact same position where the code is put.
This is the code
<script src="http://xyz.com/s/?ID=3123&SL=http://www.xyz.com/images/announce.gif"></script>
<noscript>
<a href=http://www.xyz.com/p?ID=3123>Tell a friend</a>
</noscript>
Just to inform what this code did. It inserted a 300 x 250 adsense ad which would appear only once to a single IP per 12 hours. Of course the publisher id was of the spyware company.
8:55 am on Jul 21, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



And what is Google's reply? I'm curious to know if they will take some action on this or let it slip between the cracks.
8:56 am on Jul 21, 2005 (gmt 0)

10+ Year Member



Yikes...

the <script src="announce.gif"> trick is really nasty.

the server usually serves an image, but can decide to serve a javascript...

9:36 am on Jul 21, 2005 (gmt 0)

10+ Year Member



I doubt Google will, or even should do anything about it.

Your account didn't get hacked. You chose to install an advertising-supported script.

If the author of the script wasn't upfront and didn't clearly state that the script is ad supported, then it's a dishonest practice, but I'm not sure if it violates Google's TOS.

If you choose to copy+paste 3rd party code onto your site, you should at least read through the code to make sure it doesn't have any 'surprise features' like this.

10:09 am on Jul 21, 2005 (gmt 0)

10+ Year Member




I'm not sure if it violates Google's TOS.

as far as I understand it, you cannot put Adsense on someone else's site:


other means other than Your Site(s)

and yes, the very pertinent question is: did the author say it was an ads-supported script?

morpheus83, could you pleas sticky mail me the URL of the script?

This 50 message thread spans 2 pages: 50