Security problem - What do I do wrong?

I have pretty unexpected issue and can't understand where it comes from. On a bottom of my elgg pages appear some advertising. I'm not sure, but probably this is the link, inserted in my pages:

<script type="text/javascript" src="http://website_address/cache/js/default/photos/tidypics.1349962863.js"></script&gt;

Then it s changed to

<script type="text/javascript" src="http://website_address/cache/js/default/thewire.1349965175.js"&gt;</script>  

This is the last pice of code on the page.

My questions are: How they put it on my pages and How to remove it? Is it comes with a plugin, or somebody else has an access to my elgg site?

Will appreciate any suggestions.

 

  • That's javascript from plugins - tidypics and thewire - it's not the source of your ads.  If you're using free hosting the ads may be injected by your host.

  • This is paid hosting (1and1.com) and all the others websites have no such ads. One build on Joomla, one on Wordpress. Only one on Elgg has this problem. This is defenetly spam (or hacking) I just can't understand how it is possible. The website went to about 400 visitors per day, when those ads started to appear. I couldn't figure out how to rid of it, so I wipe out the site and the DB and started from scratch. On the third day those ads appear again. 

    So, this is either my mistake in settings or some plugin giving access to the root. What it could be? 

    For now the ads appear only with IE, not in other browsers (may be you  should check check your Elgg sites too :o) ) and only when I log in not as admin, but as a different user. 

    Since the ads from b.adnxs.com (tracking service) I thought, may be I have a virus on my computer? If this is the case, why it works only with Elgg?

  • Could be a plugin, could be the server, it's likely not elgg core unless you have someone who's found an unknown weakness.  Look at the page source to find what's actually calling the ads, then grep your codebase to see if it's in a plugin.  If not, search your database to see if it's something that's in content - htmlawed should strip them but a plugin can go out of it's way to bypass it.

  • Could you show screenshots of the advertising?

    I found some hosting that actually insert ads or some scripts if you use an automated installer to install elgg or any other framework

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • There is the link to advertisment screenshot

    http://123a1.com/sc1.jpg

     

    There is the link to the end of my pages

    http://123a1.com/sc2.jpg

  • <script type="text/javascript" src="http://website_address/cache/js/default/thewire.1349965175.js"&gt;</script>  .

     

    this is the default wire plugin's java script extention in footer..

    you can see the code in mod/thewire/start.php

        // register the wire's JavaScript
        $thewire_js = elgg_get_simplecache_url('js', 'thewire');
        elgg_register_simplecache_view('js/thewire');
        elgg_register_js('elgg.thewire', $thewire_js, 'footer');

    Also i found that you are using Ads plugin of mine and u have configured the Ads. it is extending the footer.. and showing the ads.

  • how about this in your head section... mod/Ads/ seems pretty indicative:

    <script type="text/javascript" src="http://1.b2bt.org/mod/Ads/js/jquery.jshowoff.min.js">script>


  • To Satheesh PM if I get right, something not so right in the Ad pluging, something is changed there, right?  And, if will deactivate it (temporary) or reinstall, it may help? Or I didn't get it right?

  • To Matt Beckett Thank you vey much for the code, right now I put the code in the header and disactivate the Ad pluging, the ads disappear, I don't know what helped. Since the Ad pluging is very conviniens for me - I'm using it to provide different information to visitors, will try to figure out, what it was.

    Thanks a lot for all of you, I didn't know what to do with it. 

  • I think you misunderstood, I was proving to you that you were using the ads plugin, and that's where the ads were coming from.