07-24-2010 08:03 AM
I'm running Apache web server and named on the internet, but do local access through 192.168.1.xxx type links. The links appear on the thus served out.
Has my server been hacked?
I've looked at running processes and don't see anything unusual. I rebooted the server.
My concern is that my server may be serving out spam ads.
Solved! Go to Solution.
07-24-2010 10:51 AM
I unpluged my router from the DSL modem. My Apache server still serves out local pages. The ad links are gone.
I pluged my router back in to the DSL modem. Double underline ads then appear on my own pages served out from my own local server.
07-24-2010 11:04 AM
The code is normally at the end of the HTML file, just before the tag. It should look somewhat like this:
< !-- start Vibrant IntelliTXT script section -- >
< !-- end Vibrant IntelliTXT script section-- >
See the Vibrant Media's instructions for implementing IntelliText:
(For removal, simply reverse the instructions.)
Ask your web content designer (or whoever makes the decisions about the web content) if this is intentional and appropriate.
- The intellitext.com/kontera.com maintainers can get information about the usage patterns of your internal website, through the referrer information passed by the client browser when fetching the ads. This can be considered an information leak.
- Who gets the revenue from this ad campaign? (If this is the web content designer's own idea, does the money go straight into his/her pocket?)
07-24-2010 01:54 PM
I think I know what may be happening. I suspect that after viewing a page that has the code that summons the java script, the script stays active in the computer memory.
Subsequent pages that do not have the java summoning code are never-the-less, text linked.
07-28-2010 07:56 AM
I discovered unusual activity by my name server, named. It's purpose is to serve my local non-routed network.
About every three seconds it sends a packet even though no local requests are made to it.
My logs show no activity from IntelliTEXT.
Does anyone know of spam activity involving compromise of name server and double underline ads on text?
07-29-2010 03:56 AM
Shut down name server and use HOSTS file for local network nameserver. Double underline ads are gone.
Just as a heads up. There is a spamer who uses named to send double underline link spam.
Will configure named to run in chroot jail, but doubt that this will help. The compromise to named seems to be overflow of the named input buffer.
Does anyone know of a packet sniffer that can capture packets going to the bind port 53?