Say, moderators: Medialine hacked?

[Spike]

Well? Was it?

[HushHush]

I too want to know what happened. To have that kind of information hidden on your main page is disturbing. If it's intentionally there I'm going to have serious issues with that.

[Spike]

I seriously doubt it was intentional. But it would be interesting to know what happened.

[The Fedora]

what happened? I was away from the computer for a while...

[HushHush]

I'm afraid to say - this thread might get pulled too. Check your PM's.

[Spike]

Quote:

Originally Posted by The Fedora

what happened? I was away from the computer for a while...

ECP found some hidden links in the code on Medialine's main page. You can't see them on the page itself because they're crammed into a 2 pixel area somewhere on the page. The links are of a... um... "commercial" nature.

My guess is that the page has been hacked to put the links there to drive up the linkbacks to those sites, so that they'll register higher in search engines.

[The Fedora]

i see it... kinda scary.

[Weather The Storm]

Quote:

Originally Posted by Spike

My guess is that the page has been hacked to put the links there to drive up the linkbacks to those sites, so that they'll register higher in search engines.

I missed the "hack" but you are correct. This is a "harmless" hack that is exceedingly widespread around the internet. Wordpress blogs have been particularly hard hit with the link injection.

It poses more of an inconvenience to site owners than to anyone or anything. Google detects the hidden links and delists your site until you fix it.

Of course, the ultimate irony is that the hackers do this to insert hidden links that will result in higher google rankings for their sites, and google delists the site because of the hidden links.

<shrug> It has happened to several of my sites over the last year. A pain in the a**, yes. A conspiracy against forum users? No.

[Spike]

I think it's more funny than scary or disturbing. Sites get hacked like this all the time.

And at least this one doesn't appear to have been that malicious. Often when they do it, they embed a link that automatically loads the site after a set amount of time. You load the page, then... Surprise! It looks like these folks were just using the hack to drive up the number of links back to them without disturbing anybody's use of Medialine.

Edit: I see WTS and I are thinking along the same lines...

[Another side]

You folks have got me wishing I was a geek. Seriously. I have no idea what you're trying to tell us -- my fault, not yours -- and why it is frightening or insulting or dangerous or a pain in the rear.

[east coast producer]

I have no comment on my discovery except that I refuse to confirm or deny I discovered anything.

In entirely unrelated news, I am both awesome and a geek.

[Weather The Storm]

Quote:

Originally Posted by Spike

Edit: I see WTS and I are thinking along the same lines...

I speak from great experience - as a frustrated owner of multiple, hacked Wordpress sites, not as a threatened consumer of said sites.

No harm comes to the site consumer, and the only harm that really comes to the site owner is the drop in google traffic after they are delisted from that search engine.

[s'news]

I feel so violated.

Okay, I don't. Should I?

[Randy Steinman]

First off, thanks to ecp for bringing this to our attention.

Mark is already aware of this and will be addressing it with the IT people.

This kind of stuff is as harmless to ML posters/users as reading a shoe ad from a spam-bot. But it still needs to be addressed asap.

Edit: After temporarily closing this thread, I've re-opened it to hopefully promote insight into how some of these spam-bots and embedded links work.

Obviously, we are priviliged to have some members with some technical smarts re: these matters. Anything you can provide to educate others here is most welcome.

But I'll defer any further official MediaLine comment to Mark.

[HushHush]

I said disturbing to mean - I don't normally frequent sites that advertise pornography. Not to mean "scary". But now I see it was totally unintentional.

[Spike]

Quote:

Originally Posted by HushHush

Not to mean "scary".

Fedora was the one who used the word "scary." I just thought it was funny.

It wouldn't surprise me if those links have been there for a while. Why would you notice, unless you were a geek snooping around in the page source?

[s'news]

So have they ordered me a bunch of shoes?

[Weather The Storm]

Quote:

Originally Posted by Randy Steinman

Obviously, we are priviliged to have some members with some technical smarts re: these matters. Anything you can provide to educate others here is most welcome.

Google is the number one search engine, by far, on the internet. It is "gold" to be ranked within the top search results when a consumer turns to Google to find information.

One of the key weighting factors in the Google algorhithm when it comes to ranking sites is "How many sites link to your site". On the surface, links to websites indicate "popularity" and "authority", and so Google rewards sites with lots of links that point to them by ranking them higher in search results.

And so.

Hackers and spammers spend lots of time and money getting both legitimate and illegitimate links to their sites. Automated bots search out blogs, forums, and other websites to add comments that contain links to their sites. This is "Comment Spam".

As products like Askimet have been successfully deployed to combat comment spam, hackers became more nefarious and began exploiting weaknesses in platform publishing technologies - Wordpress, php-based forums, and other common platforms have been cracked.

Bots search the internet that find the sites that run on those platforms, and then hack the platform to hide links. The consumer and site owner can't see the links. But the Google bots that crawl the websites see the links and supposedly think "AHA! This site links to IHaveRelationsWithSheep.com. Therefore, the sheeploving site MUST be popular, and MUST appear high up in Google searches".

As mentioned previously, the irony is that the google bot understands that they are HIDDEN links that people can't see. This violates the terms of Google listings, and Google immediately stops crawling your site, and stops listing you in their search engine.

A clue to site owners: Watch your traffic logs. If you suddenly start to get all kinds of Russian referrals and vistors, be afraid. Be very afraid.

[Spike]

Quote:

Originally Posted by s'news

So have they ordered me a bunch of shoes?

They weren't that kind of website. At least, it didn't look like any of them were for shoe fetishists.

[Spike]

Quote:

Originally Posted by Weather The Storm

Hackers and spammers spend lots of time and money getting both legitimate and illegitimate links to their sites. Automated bots search out blogs, forums, and other websites to add comments that contain links to their sites. This is "Comment Spam".

Sometimes known as "Fearmonger."

[HushHush]

Google's a laugh at times though. Put in the right search words - and even my Blog comes up on the #1 spot.

[east coast producer]

That's a plausible theory, though not the only one. Given that the, um, offending code is in *every* Medialine page *except* the forum, which is coded and operated by an outside vendor, there's another possibility rather than a malicious hacker cracking passwords to gain access.

Whoever originally authored MediaLine in 1996 might have pilfered.. err.. borrowed the code from another web site, altering the content and graphics to create the MediaLine we know and love. The author might have overlooked -- or thought he had deleted -- the links (have we revealed they're porn links yet? I don't remember, so I won't mention it) -- inadvertently letting the remnants there in the template, which was then used for every MediaLine page. It wasn't until 2009 when a bored geek looked at the page source was it found.

Of course, another theory could be that the inclusion of the links is deliberate in the way of paid advertising, coded improperly so as not to be seen but, as the above poster mentioned, to improve the page ranking of the porno sites/advertisers.

Since this thread's been unlocked now to 'educate others,' I'm guessing its okay to repost an abridged version of my post from my original thread that, uh, went missing due to, um, a technical malfunction:

Quote:

Originally Posted by East Coast Producer

Excuse me while I geek out for a moment, but I was looking at the page source for today's talent, and when I got to the bottom of the code, there is this:

Quote:

The Google-analytics.com part on the top is the code that collects identifying information about the computers that access Medialine, such as the time/date, browser, screen resolution, operating system, IP address, etc. The google web address is the location of the javascript that runs that data collection, the _uacct is Medialine's account number, and the "urchintracker" is the function that makes it all happen.

The stuff below it though.. lol... is odd, to say the least. The code creates a 2-pixel tall table with those clickable links, though I can't figure out exactly where the miniscule links are. The table with the porn links might not actually display anywhere since it is incomplete -- the coder didn't close out the table/tr/td commands, but it's there and downloaded to your computer and cache, nevertheless. That porn code is also on the home page, Medialine Mall and it looks like every Medialine page except the forum code, which is run by an outside vendor.

I have NO idea what purpose that could possibly serve. I suppose it might cause Medialine to [appear] in search results for porn, but I don't see any practical use in that.

...

Clearly most of you aren't going to believe me. Do this to see for yourself: Go to medialine.com (hte main page), in your Firefox toolbar, select "View" then "Page Source." That's the HTML code that creates the page you're looking at. Scroll to the very bottom, and voila! In Internet Explorer (8.0, I don't have earlier versions), select "Page" from your toolbar then source.

On the bright side, now I can just come to Medialine for my porn instead of risking my uncle finding it.

Hugs and kisses.

[The Fedora]

Spike, I was referring to "scary" as in folks have the ability to plant things on sites without others ability to see them...

[Weather The Storm]

Quote:

Originally Posted by east coast producer

(Snip of hidden link code)

Of course, another theory could be that the inclusion of the links is deliberate in the way of paid advertising, coded improperly so as not to be seen but, as the above poster mentioned, to improve the page ranking of the porno sites/advertisers.

The code you pasted is one of the classic hacker injections. To understand how widespread this issue is, search Google for "hidden link injection hack". To attribute this code to a deliberate plot on the part of the site owner is a stretch.

It isn't at all odd that the forum is the *only* area that wasn't affected. I personally haven't been interested enough in the platform that runs this site to nose around in the source code, but if I had to guess, it is using a platform CMS like Joomla or Drupal, or some such system, to run the content outside of the PHP bulletin board (forum).

The bot would not have hacked both platforms at once. The bot would target only the specific platform that it was seeking.

[east coast producer]

Quote:

Originally Posted by Weather The Storm

As mentioned previously, the irony is that the google bot understands that they are HIDDEN links that people can't see. This violates the terms of Google listings, and Google immediately stops crawling your site, and stops listing you in their search engine.

I don't understand why you say the porn links are hidden -- from a technical point of view. I'm not arguing the fact, but I don't understand why you say they are. At worst, there's a 2px-high green table with scrolling links somewhere. The font color is not white or otherwise a background color, and the portion of code isn't commented off. That the author didn't close the table/tr/td commands, I believe, wouldn't have an effect on your browser rendering the code since that table is at the very end of the source, right before the /html. On the other hand, if the browser doesn't render the table because it's technically incomplete, I don't see how the spider would consider the site to be up to no good.

If you know more about html coding than I do, I'm curious how that code would be considered hidden to a spider that's reading it?