Welcome to WebmasterWorld Guest from 54.163.142.67

Forum Moderators: incrediBILL & martinibuster

Message Too Old, No Replies

Adsense by a hacker?

     
9:11 am on Jul 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 8, 2003
posts:516
votes: 4


Was browsing through my site and noticed a 300 x 250 adsense box at the bottom of the page Which I had not inserted. The publisher code was not mine. When I refreshed the page the ad was gone. This has happened thrice now it seems someone has managed to hack my site and inserted the code or can it be spyware? What action can I take? Report the publisher id to google.
9:22 am on July 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:May 30, 2005
posts:456
votes: 0


Are you using free web hosting?
9:25 am on July 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Sept 29, 2000
posts:12095
votes: 0


I would grab documentation and report it.
9:27 am on July 20, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Apr 21, 2004
posts:306
votes: 0


Check your source code... if you're right the person probably had brains enough to make it something that only appears 1/x times, so as not to attract your attention. Hit the reload button a few times and see if it pops up again.
9:34 am on July 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 8, 2003
posts:516
votes: 4


It is not on free hosting. I cant figure out how he has done the scripting so that it appears only once. As I dont see any extra code besides the adsense code.
9:35 am on July 20, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 11, 2003
posts:146
votes: 0


It's not a graphic ad or cpm spot maybe?

EVO

9:42 am on July 20, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Apr 21, 2004
posts:306
votes: 0


If it was server side scripting (php, asp) there would be no evidence in the html/javascript output -- it would just show up occasionally.
9:47 am on July 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 8, 2003
posts:516
votes: 4


Yes I have checked the pages also no such dynamic code. It is however time capped as it shows to a particular IP only once every 12 - 24 hours.
9:51 am on July 20, 2005 (gmt 0)

Full Member

10+ Year Member

joined:May 8, 2003
posts:292
votes: 0


no its not a graphic ad. it comes at the worse spot possible near the bottom of the page and distorts the design of the page as well. Have a screenshot - will post it but wont serve any purpose - got a PSA in this time but we got the publisher ID. will complaint to Google but what can they do? they certainly wont reveal his ID. i wish i cud get my hands on such content suckers. its even more disgusting then copying content and using adsense on them.
2:05 pm on July 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member tropical_island is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 16, 2002
posts:2744
votes: 0


Google should be able to identify by the website who has placed ad code on it. I'm sure they must track this in their system.
2:36 pm on July 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member jenstar is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 22, 2002
posts:4663
votes: 0


Did you do a spyware/adware sweep of your computer to be certain? Once you have done that, grab the screenshot, the sourcecode when the second ad appears and send an email off to the AdSense Team.

You can also check your host and see if there were any ftp logins that were not you, and check the dates via FTP on those pages, to see if they are different than they should be.

2:55 pm on July 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:May 6, 2005
posts:460
votes: 0


how reliable is your hosting company? for how long has your website been hosted with them?
2:57 pm on July 20, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 18, 2003
posts:175
votes: 0


Do you have your own adsense code on the page as well? Double check the pub-id make sure they aren't messing with that also.
6:27 pm on July 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 3, 2005
posts:556
votes: 0


1) upload your pages again, change your ftp password
2) if possible, change your host.

I had complained about my host to google for using adsense of error404 pages, they took NO action. i changed my host and my earnings improved.

I learnt that it is better to safeguard your own interest.

6:32 pm on July 20, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 11, 2003
posts:146
votes: 0


morpheus83, will you please keep this thread posted on what you find out. It's something we can all learn from.
Thanks.

EVO

7:41 pm on July 20, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:June 13, 2004
posts:650
votes: 0


Not a typical symptom, but could be a virus too.
Check your system thoroughly.

By a stealware you don't even notice something's wrong.
The code is changed on the fly and your click is credited to someone else.
Pity, but noone except webmasters cares about it.
Advertiser gets a lead, Google gets a click, everybody wins.
Well... almost everybody.

4:01 am on July 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 8, 2003
posts:516
votes: 4


It isnt spyware on my PC as I have tried on other PC's too. Host is quiet reliable one of the best in the industry. I have double checked the publisher id and it is not mine.
It seems I have found the source of this. It is a script of a third party email to friend script. I will run a few more tests and then confirm it. Is it ok to post the name of the company doing this? As I feel everyone must be aware of this.
4:51 am on July 21, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 6, 2005
posts:192
votes: 0


Very scary situation and I would really like to see the depth of this. I hope you will post the company.

Thanks

5:32 am on July 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 8, 2003
posts:516
votes: 4


Sorry I cant post the name of the company. It is against the rules of the forum.
5:36 am on July 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 21, 2005
posts:553
votes: 0


Well, this really sucks.
I would love to see them named.

Please DO report them to Adsense, this is clearly a thievery and out of the TOS, as you cannot


(vi) directly or indirectly access, launch and/or activate Ads, ... in, any ... other means other than Your Site(s) ...

Plus, I can't imagine the consequences of having your website linked to a banned website or account by means of their publisher ID

Add the paranoia they have inflicted on you, and the loss of time they caused to you.

I am usually less harsh but in this case they deserve to be punished at full extent.

5:41 am on July 21, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 17, 2004
posts:138
votes: 0


Is it possible someone is playing mischief with your account and another publisher account.
Both of u may be innocent. Check with your hosting company.
6:22 am on July 21, 2005 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


If you have a real hacker on your hands, which would open up a custom injected shell (assuming you're on some version of *Nix) via some outdated software with buffer overflow vulnerabilities there may be no trace whatsoever as there would be no FTP log, no SSH log, nor would it show up in the shell history.

First, via FTP sort the files on the server by date and anything recently modified will be immediately obvious.

If you're hacked, remove the code and set a trap in the event they come back.

You'll want your ISP to change a few files with "chattr +i *" which sets the immutable bit. Basically this means that nobody can alter the file unless you remove the immutable bit "chattr -i *" and this can't be done via FTP, only via the command shell. If you find new code injected back into your pages then you know they have unrestricted shell access via some vulnerability and it's a complete hack, you're not in control of the box at all.

6:57 am on July 21, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 6, 2005
posts:192
votes: 0


It will be interesting to see what G's reply will be, surely this hacker would be in the UPS level.
7:21 am on July 21, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 8, 2004
posts:865
votes: 0


I use pair hosting and if you use their shared account, just like on most shared servers, everybody on your server can read your files. For pair you have to set up cgi-wrap which allows you to keep prying eyes out. When I first heard about this I decided to test the theory and looked at some other peoples accounts. When people install progams like phpMyAdmin they must use a plain text password to connect to the database. I was able to browse through many peoples accounts and read their most complicated passwords with ease. This could have happened to you at an old host and the person could have kept track of your and many others passwords. I would suggest first securing your server and coming up with a few new complicated passwords. Stop using all old passwords you have used in the past.

Another possibility is that you use the same password you use on forums as you do on your ftp or website. There is nothing stopping a person who is running a forum from collecting the passwords people use to sign up for the forums. Lets say you signed up for a forum where you promoted your website and when you signed up you used the same password for the forum as you use for your website account. Same principal could be applied to free email accounts or free website accounts, you get the picture.

8:15 am on July 21, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Aug 16, 2004
posts:293
votes: 0


Don't know if you are on a Windows server, here goes anyways:

I happened to notice a couple -slightly- suspicious files on the root of my IIS server a couple months back, with names like 'hacked.htm', 'el1tegr0up.htm' etc.

Turns out somewhere along the line I had loosened up the site permissions, allowing site 'write' and remote scripts & executables to be run by IUSER. There is a very well known exploit that will let the anon user do basically what they want.. in my case, I was extremely lucky that the default permissions of files created by the IUSER account were set to 'no-read, no-write'.

So, they could manage to upload their hack pages with scripts and all kinds of goodies, but could not access them (permission denied). It's just one more toggle on the security to loosen it to the critical point, and apparently many many people were hit by this one.

Someone with this type of access could very easily pull a covert Adsense highjack.

Do a search for 'IIS 6 Remote Buffer Overflow Exploit'

8:31 am on July 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 8, 2003
posts:516
votes: 4


I made a backup of a page with the Email a friend code and one without. The page with the Email a friend code displays adsense in the exact same position where the code is put.
This is the code
<script src="http://xyz.com/s/?ID=3123&SL=http://www.xyz.com/images/announce.gif"></script>
<noscript>
<a href=http://www.xyz.com/p?ID=3123>Tell a friend</a>
</noscript>
Just to inform what this code did. It inserted a 300 x 250 adsense ad which would appear only once to a single IP per 12 hours. Of course the publisher id was of the spyware company.
8:55 am on July 21, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 11, 2004
posts:1062
votes: 0


And what is Google's reply? I'm curious to know if they will take some action on this or let it slip between the cracks.
8:56 am on July 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 21, 2005
posts:553
votes: 0


Yikes...

the <script src="announce.gif"> trick is really nasty.

the server usually serves an image, but can decide to serve a javascript...

9:36 am on July 21, 2005 (gmt 0)

New User

10+ Year Member

joined:Apr 26, 2005
posts:16
votes: 0


I doubt Google will, or even should do anything about it.

Your account didn't get hacked. You chose to install an advertising-supported script.

If the author of the script wasn't upfront and didn't clearly state that the script is ad supported, then it's a dishonest practice, but I'm not sure if it violates Google's TOS.

If you choose to copy+paste 3rd party code onto your site, you should at least read through the code to make sure it doesn't have any 'surprise features' like this.

10:09 am on July 21, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 21, 2005
posts:553
votes: 0



I'm not sure if it violates Google's TOS.

as far as I understand it, you cannot put Adsense on someone else's site:


other means other than Your Site(s)

and yes, the very pertinent question is: did the author say it was an ads-supported script?

morpheus83, could you pleas sticky mail me the URL of the script?

This 50 message thread spans 2 pages: 50