Is “seolink” a virus?
On my site there is a script after the body tag, both on frontend and adminhtml. I can't find where it is included:
It adds links in the header. Has anyone seen this?
magento-1.8 security
edited 47 mins ago
Glorfindel
2271412
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
add a comment |
On my site there is a script after the body tag, both on frontend and adminhtml. I can't find where it is included:
It adds links in the header. Has anyone seen this?
magento-1.8 security
edited 47 mins ago
Glorfindel
2271412
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
add a comment |
On my site there is a script after the body tag, both on frontend and adminhtml. I can't find where it is included:
It adds links in the header. Has anyone seen this?
magento-1.8 security
edited 47 mins ago
Glorfindel
2271412
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
On my site there is a script after the body tag, both on frontend and adminhtml. I can't find where it is included:
It adds links in the header. Has anyone seen this?
magento-1.8 security
magento-1.8 security
edited 47 mins ago
Glorfindel
2271412
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
edited 47 mins ago
Glorfindel
2271412
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
edited 47 mins ago
Glorfindel
2271412
edited 47 mins ago
Glorfindel
2271412
edited 47 mins ago
Glorfindel
2271412
2271412
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
asked Apr 8 '16 at 7:34
omelandromelandr
5821622
5821622
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
What this is:
- a black hat SEO technique: these links are moved out of the visible area using JavaScript, to trick search engines
What it is not:
- a virus
What it can be, given you did not add the code yourself:
- the result of a hack
- something, a malicious extension or theme developer added
If you did not find the code in your files and database, it's probably obfuscated. Search for "base64_decode" and "eval" in your code base and you probably find the source.
If it is from an extension or theme, compare the code with the originally downloaded files to see if it has been added by the developers or by a hacker afterwards.
If the code is already in the original files, you are lucky under the circumstances: your server has not been compromised. But you should remove the extension/theme because it cannot be trusted.
Otherwise, please refer to What should you do with the hacked installation?
edited Apr 13 '17 at 12:54
Community♦
1
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
add a comment |
You should compare URL addresses with your website address or partners’ site address. If they don't lead to your website or any known partners’ site, this is clearly an unfair way to increase pages’ rank. Maybe one of your developers added them. In any case, if you are not using them, the best solution would be to remove them. Such a promotion can negatively influence your website rank and is unlikely bring any benefits.
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
add a comment |
I would start by thinking if I recognize those domains and what those Cyrillic characters means :).
If they don't look familiar to you. Check your explorer, maybe is just an extension injecting "cool" stuff on the page.Of course check your code base also roughly.
And to answer your question, No, I haven't seen it before.
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f110064%2fis-seolink-a-virus%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
What this is:
- a black hat SEO technique: these links are moved out of the visible area using JavaScript, to trick search engines
What it is not:
- a virus
What it can be, given you did not add the code yourself:
- the result of a hack
- something, a malicious extension or theme developer added
If you did not find the code in your files and database, it's probably obfuscated. Search for "base64_decode" and "eval" in your code base and you probably find the source.
If it is from an extension or theme, compare the code with the originally downloaded files to see if it has been added by the developers or by a hacker afterwards.
If the code is already in the original files, you are lucky under the circumstances: your server has not been compromised. But you should remove the extension/theme because it cannot be trusted.
Otherwise, please refer to What should you do with the hacked installation?
edited Apr 13 '17 at 12:54
Community♦
1
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
add a comment |
What this is:
- a black hat SEO technique: these links are moved out of the visible area using JavaScript, to trick search engines
What it is not:
- a virus
What it can be, given you did not add the code yourself:
- the result of a hack
- something, a malicious extension or theme developer added
If you did not find the code in your files and database, it's probably obfuscated. Search for "base64_decode" and "eval" in your code base and you probably find the source.
If it is from an extension or theme, compare the code with the originally downloaded files to see if it has been added by the developers or by a hacker afterwards.
If the code is already in the original files, you are lucky under the circumstances: your server has not been compromised. But you should remove the extension/theme because it cannot be trusted.
Otherwise, please refer to What should you do with the hacked installation?
edited Apr 13 '17 at 12:54
Community♦
1
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
add a comment |
What this is:
- a black hat SEO technique: these links are moved out of the visible area using JavaScript, to trick search engines
What it is not:
- a virus
What it can be, given you did not add the code yourself:
- the result of a hack
- something, a malicious extension or theme developer added
If you did not find the code in your files and database, it's probably obfuscated. Search for "base64_decode" and "eval" in your code base and you probably find the source.
If it is from an extension or theme, compare the code with the originally downloaded files to see if it has been added by the developers or by a hacker afterwards.
If the code is already in the original files, you are lucky under the circumstances: your server has not been compromised. But you should remove the extension/theme because it cannot be trusted.
Otherwise, please refer to What should you do with the hacked installation?
edited Apr 13 '17 at 12:54
Community♦
1
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
What this is:
- a black hat SEO technique: these links are moved out of the visible area using JavaScript, to trick search engines
What it is not:
- a virus
What it can be, given you did not add the code yourself:
- the result of a hack
- something, a malicious extension or theme developer added
If you did not find the code in your files and database, it's probably obfuscated. Search for "base64_decode" and "eval" in your code base and you probably find the source.
If it is from an extension or theme, compare the code with the originally downloaded files to see if it has been added by the developers or by a hacker afterwards.
If the code is already in the original files, you are lucky under the circumstances: your server has not been compromised. But you should remove the extension/theme because it cannot be trusted.
Otherwise, please refer to What should you do with the hacked installation?
edited Apr 13 '17 at 12:54
Community♦
1
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
edited Apr 13 '17 at 12:54
Community♦
1
edited Apr 13 '17 at 12:54
Community♦
1
edited Apr 13 '17 at 12:54
Community♦
1
1
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
answered Apr 8 '16 at 10:22
Fabian SchmenglerFabian Schmengler
54.1k20128339
54.1k20128339
add a comment |
add a comment |
You should compare URL addresses with your website address or partners’ site address. If they don't lead to your website or any known partners’ site, this is clearly an unfair way to increase pages’ rank. Maybe one of your developers added them. In any case, if you are not using them, the best solution would be to remove them. Such a promotion can negatively influence your website rank and is unlikely bring any benefits.
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
add a comment |
You should compare URL addresses with your website address or partners’ site address. If they don't lead to your website or any known partners’ site, this is clearly an unfair way to increase pages’ rank. Maybe one of your developers added them. In any case, if you are not using them, the best solution would be to remove them. Such a promotion can negatively influence your website rank and is unlikely bring any benefits.
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
add a comment |
You should compare URL addresses with your website address or partners’ site address. If they don't lead to your website or any known partners’ site, this is clearly an unfair way to increase pages’ rank. Maybe one of your developers added them. In any case, if you are not using them, the best solution would be to remove them. Such a promotion can negatively influence your website rank and is unlikely bring any benefits.
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
You should compare URL addresses with your website address or partners’ site address. If they don't lead to your website or any known partners’ site, this is clearly an unfair way to increase pages’ rank. Maybe one of your developers added them. In any case, if you are not using them, the best solution would be to remove them. Such a promotion can negatively influence your website rank and is unlikely bring any benefits.
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
answered Apr 8 '16 at 9:25
MageWorxMageWorx
3,308512
3,308512
add a comment |
add a comment |
I would start by thinking if I recognize those domains and what those Cyrillic characters means :).
If they don't look familiar to you. Check your explorer, maybe is just an extension injecting "cool" stuff on the page.Of course check your code base also roughly.
And to answer your question, No, I haven't seen it before.
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
add a comment |
I would start by thinking if I recognize those domains and what those Cyrillic characters means :).
If they don't look familiar to you. Check your explorer, maybe is just an extension injecting "cool" stuff on the page.Of course check your code base also roughly.
And to answer your question, No, I haven't seen it before.
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
add a comment |
I would start by thinking if I recognize those domains and what those Cyrillic characters means :).
If they don't look familiar to you. Check your explorer, maybe is just an extension injecting "cool" stuff on the page.Of course check your code base also roughly.
And to answer your question, No, I haven't seen it before.
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
I would start by thinking if I recognize those domains and what those Cyrillic characters means :).
If they don't look familiar to you. Check your explorer, maybe is just an extension injecting "cool" stuff on the page.Of course check your code base also roughly.
And to answer your question, No, I haven't seen it before.
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
answered Apr 8 '16 at 7:46
davidmpazdavidmpaz
1256
1256
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
add a comment |
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
Cyrillic characters are advertising clothing I've tried to find it in the database and files. But not found
– omelandr
Apr 8 '16 at 7:53
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f110064%2fis-seolink-a-virus%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
