If you didn't add the code yourself, then it's being added without your permission, which can scarcely be anything *but* malicious. Check to see if you're running any vulnerable scripts, if not, check with your host to see if their server has been cracked in some way.

Are you on cheap or free web hosting? Seems to me I've heard of some free web hosts inserting ad network code into the pages of their customers.

ispy, if it's not your webhost doing it for some legitimate reason, then reuploading the page isn't even a start at a solution. If someone's obtained the ability to add or change the pages on your site, they can keep on doing it forever until you find the breach and close it. You need to examine everything. The page they happened to change gives you no clue to "where" they got into the site. Once in, they can change anything. Your site logs will help your investigation.

It appeared suddenly so it's not the host. That would be bizarre for a live person to be doing it. I dont know what they may achieve. I guess it could be a competitor trying to analyze our traffic for some reason, or maybe even trying to redirect traffic, or an affiliate trying to steal commissions?

They can't access financials since this is hosted remotely. I'll post the code here if I find it again.

More likely they're inserting some kind of ad-inserting code or (worse) some sort of malicious code to infect your visitors with spyware. You really do need to check your scripts and general security. There is almost certainly a security breech somewhere on your site or your host.

This happened to me one time (js inserted at top of index), and when I contacted my hosting company, they advised changing the FTP access password immediately, which I did. To date there has not been another occurence, so in that particular instance at least, altering the login seemed to be the answer. If you haven't done that already, I'd suggest doing so right away.

..............................

they advised changing the FTP access password immediately, which I did. To date there has not been another occurence

The hosting company then fixed the hole which was the real cause of the problem, leaving the impression that it was an FTP password leak which was the actual cause (ie. your fault, not theirs). :)

OK, I may be too cynical, and yes you should change all your passwords immediately too - but this kind of thing is more often to do with server-side scripts which have not been kept up to date, leaving the attacker access through which they can attach code to various files (eg. index.html) on the server.

Back to the original question: are you running a content management script? Is it up to date (fully-patched)? Are you on a shared or dedicated server? If it is a static site, then ask your host to move it to a different physical server, or change hosts.

The hosting company then fixed the hole which was the real cause of the problem, leaving the impression that it was an FTP password leak which was the actual cause (ie. your fault, not theirs).

I actually suspected that at the time, but had/have no way to prove it. I work alone in a very rural location and share this secure login information with no one, so other than some sort of lucky-guess hack, it made no sense that it was on my end. Thanks for the validation.

.....................

FTP is not secure, though. So it doesn't matter if you shared the password with anyone or not. Anyone who could gain access to the data stream could read the password.

Who can gain access to an FTP data stream?

- Employees of your ISP
- Employees of your hosting provider
- Employees of a hotel where you might have stayed, and used their Internet access
- Employees of an Internet cafe where you might have accessed your site from
- Employees of any company that transported your data packets (e.g. backbone providers, etc.)

For "employees", above, really, substitute "anyone who has physical access", or might have hacked-into such facilities remotely.

Nobody should be using FTP to update their website, nor Telnet to access a Linux shell. Use SFTP and SSH.

If you are forced to use FTP, change passwords OFTEN.

It appeared again today.

I think it may have to do with the Live.com crawler inserting code automatically. I may have agreed to this at some point without knowing it.

It specifies 'Microsoft Data serives Remote Data.dat' I'm still trying to find a support number at Live.com to discuss this. Makes a nasty off colored pixel at the top of page, and an initial browser warning. I chickened out on posting the complete code here, I don't want anyone else hacking in.

Hmm, did you post the code at first then edit it out? I ask because when i first visited the thread in Opera, i got a super wide page with no text where the comments should be. I looked at the source code and your last message included a big chunk of code that looks like obfuscated Javascript. Just want to make sure it wasn't from some malware on my side, lol.

What shall we use to fill the empty spaces,
Where we used to talk?
How shall I fill the final places?
How shall I complete the site?

-Pink Floyd

I think it may have to do with the Live.com crawler inserting code automatically. I may have agreed to this at some point without knowing it.

Nobody can insert code automatically on YOUR site, unless you gave them the means to do so.

This might be done by:

- some sort of plugin you installed in your web server, CMS, etc. (unlikely, but possible)

- a frame or layer on your page that loads content from an external site. In this case, remove the frame or layer, and/or the reference to the external site.

What server software are you using? It wouldn't be IIS would it? A very old version of IIS? There's a 1999 security alert that might relate to this, but I don't use IIS so it doesn't make much sense to me.

Do you have any ActiveX components on your page?

99% of the exploit attempts I see target PHP, taking advantage of sites where the php.ini settings are (either explicitly or by default): allow_url_fopen = On, register_globals = On, and the .htaccess file allows both the libwww-perl User-agent and URL query strings that have the string "=http://" or "=ftp://" in them.

Thanks for the help. It looks like it was an old direct product feed on our server that was forgotten 10 months ago but never deleted, so it was still alive.