I just found some hidden links when i was looking in the source code for a site i am building i Joomla when i found som hidden spam links.

I have used an hour trying to find them within some of the template files without luck. the links are following (from html source code):

<div id="jxtc-zt"><a href="/" target="_blank" 
title="достопримечательности Европы">достопримечательности Европы</a></br><a 
href="/" target="_blank" title="шаблоны Joomla 3.5">шаблоны  Joomla
3.5</a></div>

And this:

</div><div id="jxtc-zt"><a href="/" target="_blank" 
title="Battlefield 4">Battlefield 4</a><br><a href="/" 
target="_blank" title="минеральные воды">минеральные воды</a></div></div></div>

Have you any suggestions how to find out where they are created?

It is probably obfuscated in some way?

Thanks

I just found some hidden links when i was looking in the source code for a site i am building i Joomla when i found som hidden spam links.

I have used an hour trying to find them within some of the template files without luck. the links are following (from html source code):

<div id="jxtc-zt"><a href="http://magical-place.ru/" target="_blank" 
title="достопримечательности Европы">достопримечательности Европы</a></br><a 
href="http://joomla-master/" target="_blank" title="шаблоны Joomla 3.5">шаблоны  Joomla
3.5</a></div>

And this:

</div><div id="jxtc-zt"><a href="http://battlefield4..ua/" target="_blank" 
title="Battlefield 4">Battlefield 4</a><br><a href="http://www.absolut.vn.ua/" 
target="_blank" title="минеральные воды">минеральные воды</a></div></div></div>

Have you any suggestions how to find out where they are created?

It is probably obfuscated in some way?

Thanks

• php
• javascript
• html
• css
• joomla

• Could be hacked.. could be a script injecting this html after the loading of the page.. – Gabriele Petrioli Commented Dec 20, 2012 at 23:45
• Could also be a browser plugin. Some Chrome extensions like to insert ads like the ones you're seeing. – Martijn Hols Commented Dec 20, 2012 at 23:49
• Are they actually in the source of the HTML document being served or are you looking at it through some sort of DOM inspector (Firebug, Dragonfly, etc.)? – cimmanon Commented Dec 20, 2012 at 23:50
• they appear in there when i am using Firebug. – Jesper Rix Commented Dec 20, 2012 at 23:55
• First div blog appears between article_header and article_text and the second blog is just after a class called pager pagenav if it tells you something – Jesper Rix Commented Dec 20, 2012 at 23:57

3 Answers 3

Had the same problem, but found the solution.

The code is indeed hidden within the template under template_name\html\_content\article\default.php. The text is encoded using base64 and I had 2 instances in mine, 1 for before the article and one at the end. The code used is:

<?php  if (!$params->get('show_intro')) :
    echo $this->item->event->afterDisplayTitle;
endif; ?><?php
$mgp='PGRpdiBpZD0iamItYmYiPjxhIGhyZWY9Imh0dHA6Ly9tYWdpY2FsLXBsYWNlLnJ1LyIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSLQvtGC0LfRi9Cy0Ysg0YLRg9GA0LjRgdGC0L7QsiI+0L7RgtC30YvQstGLINGC0YPRgNC40YHRgtC+0LI8L2E+PGJyPjxhIGhyZWY9Imh0dHA6Ly9qb29tbGEtbWFzdGVyLm9yZy8iIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i0YDQsNGB0YjQuNGA0LXQvdC40Y8gSm9vbWxhIDMuNSI+0YDQsNGB0YjQuNGA0LXQvdC40Y8gSm9vbWxhIDMuNTwvYT48L2Rpdj4=';
echo base64_decode($mgp);?>

I simply removed the code from the 2nd

<?php ~ through to ?>

in both links.

If you can't find word "Battlefield" in any of site's documents, try searching for (without quotes) :

"QmF0dGxlZmllbGQ=" (Base64 representation), 
"426174746c656669656c64" (Hexademical representation),
"Battlefield" (ASCII).

These would be most mon ways to encode it.

If still no luck, then locate the code manually: delete small chunks of code in the main template file ( index.php most monly ) and watch, if the unwanted link disappeared after delete. If it did - you have found the code, that is responsible for it.

For those who have similar problems, I'd like to suggest a thorough solution.

A binary searching tool, like "Text-Crawler" or "String Finder" (for windows) es handy, and then search for the "most unmon word from the whole unwanted text" in the root folder.

Next as "Jevgeni Boga~" pointed out in the above answer, try to search for the hashed form of those strings, which could be base64,hexadecimal,aasci.

Now if you are still not able to zero in on the exact code, there is quiet a possibility that the hidden code is being fetched from te database rather than a file, so your next place to search is your database, and its quiet easy to perform a string search through "phpmyadmin" .

All you need to do is go the "phpmyadmin home" then select "your database" then select "search"....

Words or values to search for :=> "most unmon word from the injected code"

Find:=> Leave default (at least one of the words)

Inside tables :=> Choose Select All Inside column:=> Leave blank..

Now if your "unwanted code" was hidden inside database, then you most probably shall get to it.

Now there is also a possibility as someone stated above, that the code as being injected by some script after the loading of the page, well you could be sure that this isn't the case, by disabling the javascript in your browser...

There are various other things to look out for... Like to check whether the code is in text format or is it just an image of the text... then if thats the case maybe then you have to look for that file like .jpg or .png... furthermore the image could also be parsed from the CSS using the "URLdata:image/png;base64" method...

or Lastly just search for the "iframe" tag, maybe that's iframed from some other source.