I can't understand what this malicious HTML/CSS is doing

Issue

I’ve just cleaned up a friend’s e-commerce website. The hosting company had detected and removed some malware, however my friend’s customers were still reporting problems with being directed to porn sites when accessing his website. Looking over his site, it seemed that the malware had updated his web pages before it was removed, but his hosting company had not spotted these updates.

The following code had been inserted in his index.php just before the closing body tag:

<div align="justify" style='width: 1px; height: 1px; overflow: auto;'>
<a href="http://*********.org">porn terms here</a><br><a href="http://*********.com">more porn terms here</a><br>
</div>

(the asterisks are mine; there were lots more links in the original.)

I can see that this defines a 1px x 1px area at the foot of the page containing the porn links, but what is it achieving? It doesn’t seem possible for users to accidentally click on the links inside this small area. (or do some browsers overflow them to another position on the page?) Or is it just meant to send spiders etc off to these porn links?

Any suggestions gratefully received.

Solution

Google’s PageRank scores pages in part by counting the number of links to that page by other web pages. So the idea is that Google’s web crawler would find these otherwise hidden links and increase the score of the linked-to pages. Seed these links in lots of places and the target porn site will in theory show up higher in Google search results for the associated “porn terms.” I say in theory because I’ve read elsewhere that Google discounts hidden links like these.

Answered By – Kyle Jones

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published