Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By tramsaal on
While bulding a theme for a new website I noticed incjected code between head and body tags. I could only see it with Google Chrome Developer Tools, page source doesn't show it, so I suppose it is injected with javascript. I didn't see anything in my template files so I guess it has to be one of the installed modules.
At first I thought that my website has been breached but then I found the same code in the other website I've been working on during last few weeks. They are in different servers, one is hosted in Estonia, the other in Netherlands and for the second one, I am the only one with file system access. The third website, which I built about a month ago, doesn't have this code.
This is not really my field but I see two possibilities:
1) my computer has been breached and someone has taken the time to find my work folders for the drupal sites I'm working on and injected the code there.
2) one of modules I'm using has been tampered with
I'm not very good with javascript but as I understand it is possible to achieve what I described with only few lines of code. Can anyone suggest the easiest way how to find out what is going on?
I copy here the beginning and the end of the code.
the beginning:
</head>
<style type="text/css">#AdContainer,#RadAd_Skyscraper,#ad-frame,#bbccom_leaderboard,#center_banner,#footer_adcode,#hbBHeaderSpon,#hiddenHeaderSpon,#navbar_adcode,#rightAds,#rightcolumn_adcode,#top-advertising,#topMPU,#tracker_advertorial,.ad-now,.dfpad,.prWrap,[id^="ad_block"],[id^="adbrite"],[id^="dclkAds"],[id^="ew"][id$="_bannerDiv"],[id^="konaLayer"],[src*="sixsigmatraffic.com"],a.kLink span[id^="preLoadWrap"].preLoadWrap,a[href^="http://ad."][href*=".doubleclick.net/"],a[href^="http://adserver.adpredictive.com"],div#FFN_Banner_Holder,div#FFN_imBox_Container
and the end:
a[href^="http://www.friendlyduck.com/AF_"],a[href^="http://www.google.com/aclk?"],a[href^="http://www.liutilities.com/aff"],a[href^="http://www.liutilities.com/products/campaigns/adv/"],a[href^="http://www.my-dirty-hobby.com/?sub="],a[href^="http://www.ringtonematcher.com/"],#mbEnd[cellspacing="0"][cellpadding="0"][style="padding: 0pt;"],#mbEnd[cellspacing="0"][style="padding: 0pt; white-space: nowrap;"],div#mclip_container:first-child:last-child,div#tads.c,table.ra[align="left"][width="30%"],table.ra[align="right"][width="30%"] { visibility:hidden !important; display:none !important; }</style>
Comments
Never mind, it turned out to
Never mind, it turned out to be chrome's ad-blocker :-)
I use chrome almost exclusively for web development and had forgotten completely that at one point I had installed it.
Sorry about the false alaram.
Security
The code is probably from AdBlock in your Chrome browser, which is easily discovered with a simple Google search. In order to block ads, AdBlock looks for common fingerprints of ad components and sets the display:none CSS value.
In the case of actual security issues: There is a documented process for reporting security issues, and posting randomly in the forums is NOT that process.