Double underline ads (98 Views)
Reply
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 1 of 10 (98 Views)
Accepted Solution

Double underline ads

Web pages served out by my web server have double underline links added to text on the pages. I researched and found that Vibrant Media created the technology and that intellitext.com and kontera.com serve out the spam ads so linked.

I'm running Apache web server and named on the internet, but do local access through 192.168.1.xxx type links. The links appear on the thus served out.

Has my server been hacked?

I've looked at running processes and don't see anything unusual. I rebooted the server.

My concern is that my server may be serving out spam ads.
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 2 of 10 (98 Views)

Re: Double underline ads

Update:

I unpluged my router from the DSL modem. My Apache server still serves out local pages. The ad links are gone.

I pluged my router back in to the DSL modem. Double underline ads then appear on my own pages served out from my own local server.
Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 3 of 10 (98 Views)

Re: Double underline ads

As far as I understand, those ads are based on small piece of HTML included on the page source, that tells the browser to load from intellitxt.com the javascript that adds the advertisements to the content. So it is the client browser that does most of the work.

The code is normally at the end of the HTML file, just before the tag. It should look somewhat like this:

< !-- start Vibrant IntelliTXT script section -- >
< script type="text/javascript" src="http://yourdomain.us.intellitxt.com/intellitxt/front.asp?ipid=1234">< /script >
< !-- end Vibrant IntelliTXT script section-- >

See the Vibrant Media's instructions for implementing IntelliText:
http://www.vibrantmedia.com/publishers/implementation.asp
(For removal, simply reverse the instructions.)

Ask your web content designer (or whoever makes the decisions about the web content) if this is intentional and appropriate.

Counter-arguments:

- The intellitext.com/kontera.com maintainers can get information about the usage patterns of your internal website, through the referrer information passed by the client browser when fetching the ads. This can be considered an information leak.

- Who gets the revenue from this ad campaign? (If this is the web content designer's own idea, does the money go straight into his/her pocket?)

MK
MK
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 4 of 10 (98 Views)

Re: Double underline ads

Thanks, that's good to know. However, I wrote the html code for web pages that I see the ads on. I'll check the pages to see if they were somehow hacked.
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 5 of 10 (98 Views)

Re: Double underline ads

I looked at the web page source html of a page that I see the ads on. I didn't find any thing extra in it.

I'll write a test page that's very short and see how that works.
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 6 of 10 (98 Views)

Re: Double underline ads

Update:

I think I know what may be happening. I suspect that after viewing a page that has the code that summons the java script, the script stays active in the computer memory.

Subsequent pages that do not have the java summoning code are never-the-less, text linked.
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 7 of 10 (98 Views)

Re: Double underline ads

Update:

I discovered unusual activity by my name server, named. It's purpose is to serve my local non-routed network.

About every three seconds it sends a packet even though no local requests are made to it.

My logs show no activity from IntelliTEXT.

Does anyone know of spam activity involving compromise of name server and double underline ads on text?
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 8 of 10 (98 Views)

Re: Double underline ads

Update:

Shut down name server and use HOSTS file for local network nameserver. Double underline ads are gone.

Just as a heads up. There is a spamer who uses named to send double underline link spam.

Will configure named to run in chroot jail, but doubt that this will help. The compromise to named seems to be overflow of the named input buffer.

Does anyone know of a packet sniffer that can capture packets going to the bind port 53?
Please use plain text.
Honored Contributor
Patrick Wallek
Posts: 13,735
Registered: ‎06-21-2000
Message 9 of 10 (98 Views)

Re: Double underline ads

Wireshark should be able to catch these.
Please use plain text.
Trusted Contributor
Vernon Brown_4
Posts: 349
Registered: ‎01-19-2004
Message 10 of 10 (98 Views)

Re: Double underline ads

Thanks Patrick; I'll give it a try.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation