...

View Full Version : Spam appears inside HTML files



loamguy1
05-14-2008, 05:18 AM
I'm having a problem where on a periodic basis, spam links for viagra, xanax, etc. gets added inside a div on some of my HTML pages.

It's not on a form page. I have captcha logic to prevent form spammers. This is actual href links within a non-visible DIV getting appended to an HTML page. I removed them the first time, then a few weeks later they came back.

I don't see any javascript code on that specific page either.

Any ideas on how something like this might happen? I'm wondering if this is more of a network, rather then HTML, problem...

rmedek
05-14-2008, 05:47 AM
HTML is only a markup language. So the hackers are getting in through some other channel, maybe through a vulnerability of a script you are using on the site (maybe an outdated CMS?) or via an insecure server. Lots of possibilities, but not the HTML by itself.

Also, just because the spam isn't on the form page doesn't mean the form isn't secure…the malicious script could be getting access through that page and then writing on the others.

loamguy1
05-14-2008, 06:01 AM
HTML is only a markup language. So the hackers are getting in through some other channel, maybe through a vulnerability of a script you are using on the site (maybe an outdated CMS?) or via an insecure server. Lots of possibilities, but not the HTML by itself.

Also, just because the spam isn't on the form page doesn't mean the form isn't secure…the malicious script could be getting access through that page and then writing on the others.

The page in question doesn't get written to via the CMS, or via any other form on the site.

However, the site isn't https, so that one would be one thing to remedy, yes?

Any idea if this is possible via malicious javascript code?

rmedek
05-14-2008, 06:15 AM
The page in question doesn't get written to via the CMS, or via any other form on the site.

It doesn't matter. The malicious script could access your entire directory if it can breach another part of your website.

As for your other questions—not really, at least as far as hacking your server goes. Most malicious site-altering scripts attack a vulnerability of a server-side script, or poor password choices.

loamguy1
05-14-2008, 06:38 AM
It doesn't matter. The malicious script could access your entire directory if it can breach another part of your website.

As for your other questions—not really, at least as far as hacking your server goes. Most malicious site-altering scripts attack a vulnerability of a server-side script, or poor password choices.

Yikes, that's scary and eye-popping...

This might be a more complex discussion, but if a malicious script somehow accessed, let's say an old CMS form that didn't have captcha logic, how exactly could it write HTML to another page on the site?

I do know that the passwords in the CMS could be more secure...

CFMaBiSmAd
05-14-2008, 07:01 AM
rmedek does not appear to be online at the moment, so I'll jump in with some info.

Any server side script that does not validate all external input could allow externally supplied code to be executed by your script (in the case of a page include() function), could allow files containing code to be put anywhere on your server (in the case of an upload function), or could allow code to be put into a known file (in the case of a blog or guest book... that saves content to a .php file.) For these last two cases, you could run the php code in the file by simply browsing to the file the code is in (or having a bot script request it.)

For any of these cases, the code that is executed could alter or replace any other file.

loamguy1
05-14-2008, 04:24 PM
rmedek does not appear to be online at the moment, so I'll jump in with some info.

Any server side script that does not validate all external input could allow externally supplied code to be executed by your script (in the case of a page include() function), could allow files containing code to be put anywhere on your server (in the case of an upload function), or could allow code to be put into a known file (in the case of a blog or guest book... that saves content to a .php file.) For these last two cases, you could run the php code in the file by simply browsing to the file the code is in (or having a bot script request it.)

For any of these cases, the code that is executed could alter or replace any other file.

I'm confused.

For example, the affected page on my site is "index_main.cfm." The mysterious DIV gets appended to the bottom of the page right before the end of the <BODY> tag.

This page has some ColdFusion includes that run database select queries, but nothing that allows external user input such as a form.

Do you mean that if there's another page on the site that allows user form entry without captcha logic, that this could somehow lead to href links to appear on the index_main.cfm page?

I'm just failing to grasp the concept of how this happens I guess...

rmedek
05-14-2008, 04:37 PM
I'm confused.

Do you mean that if there's another page on the site that allows user form entry without captcha logic, that this could somehow lead to href links to appear on the index_main.cfm page?

Once again—yes.

There are a lot of ways a hacker can get into your site, a form only being one of them. The problem is you are thinking of your site as static, standalone pages separate from the world. All of your ColdFusion pages are served by and interacting with the server. The malicious script, once it's breached a page, has access to the server. It can write anything it wants anywhere it wants to.

It may not even be a breach of a page — it could be something as simple as someone cracking your FTP password.

Also, a CAPTCHA also has very little to do with form security. If you're using a poorly coded form, no amount of CAPTCHA is going to stop a hacker from accessing your server.


I'm just failing to grasp the concept of how this happens I guess...

Well, for starters, you're asking in the wrong place. This is the HTML forum. If you want real help, you'll have to start posting code, a link to the page, and ask to have this moved to a more appropriate forum, like the ColdFusion forum.

loamguy1
05-14-2008, 04:41 PM
Ok, makes more sense. Thought I'd try posting in this forum first, but thanks all for your info and suggestions. I do apreciate it.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum