Found Unwanted Links in our Contents - How to stop link insertion

Hi,

I found some unwanted links in our contens. Notice one thing that these links are appear in dynamic contents (Which are submitted from admin panel) for example Faq details, New and update of page.

When i submit details then all things are looking fine but after few days or weeks then i check contents then found some unwanted links which are not appearing on site because either in style hidden attribute or font size is 0, these will appear only in admin panel source code.

Example

<p><a href="https://www.kidneystonesclinic.in/" style="font-size:0px;">Best Nephrology &amp; Urology Hospital in Chennai</a></p>

Code (markup):

How can i stop these types of issue.

 

Is there any way to check code ..... There are multiple file .... One more thing i want to say that links are inserted only in those contents which are adding dynamically ..... if we write on any static page then all things are fine.

If any suggestion then please let me know to clean all script fastly.

 

No, its not in wordperss. Site is in PHP custom code.

Let me check all folder about unknown PHP file. Thanks for idea.

 

I suspect the links are added via a Javascript code on the client side. TO test, try disabling Js.

If this was a WordPress website, I would have told you to install Wordfence Plugin and use it to scan the website.

But since it is a custom PHP website, I will prefer going through the code manually. I usually do not trust automated tools to remove every single malicious code.

Let me know if you need further assistance with the 2nd option

 

One big way to help clean up a compromised site is to make a local install of the same software clean -- assuming you have original uncompromised files, which ANY project should maintain -- and then just compare filesizes. Any file that doesn't match is suspect.

Checking the "modified" date on the files can help too.

But if you've done any number of dumbass things -- not maintaining a baseline clean-room copy of the code, editing the code online on the live copy, etm -- you may be screwed and have to go through one file at a time.

There are a lot of good practices to set up ahead of time to recover from problems like this. It's sad so many people ignore them and go "we'll be fine."

 

Thanks for suggest your best ideas.

Please suggest me for one more doubt. As you are saying that there will be some suspected file may be JS or PHP but if i change complete website design, So all CSS, JS file will be changed completely. Will it help me to protect my site from that unwanted script? I think there is not issue with same database.

 

There is the question of how they got in to crack you in the first place. If it's a flaw in the code they exploited, you're just going to get hacked again.

Replacing with an off the shelf answer is often no better, as there is "security through obscurity". You look at wordpress vulnerabilities for example, a literal list of all the major well known hacks in the CVE:

https://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

There are holes found and exploited all the time. Custom software depending on how and who coded it can be as bad, or it can be a thousand times better.

One thing to consider is how old is the server-side code? How reliant is the site on client-side scripting? Are you running older versions of the server-side language -- like PHP -- because the script won't run on newer versions?

One thing I'm always telling clients is to be prepared for complete rewrites and/or code audits every three to five years. Because the underlying languages change, because new exploits that haven't even been dreamed of yet crop up. To expect any software to last longer than five years without constant updates, code reviews, and possibly even starting over from scratch is naive, unrealistic, and little more than wishful thinking.

In terms of age alone, it might be time to start over from scratch... but I'd have to see the code in question to say for sure. You might simply be past its "fresh by" date.

Particularly if the site(s) in question are anything like the ones in your signature, where the front-end "Design" and code is itself a disaster with illegible white on sky blue, cloaked content guaranteed to get you pimp slapped clear off of search, p + strong doing H3's job, redundant P inside LI, redundant code-bloat title attributes, incomplete forms, gibberish use of numbered headings, content overload, incomplete tables... A lot of that kind of scary given they're sites for peddling SEO whilst being coded the opposite of good practices.

If it's anything like those, it's time to rethink your inks and start over.