topic Re: Double underline ads in Operating System - Linux

Double underline ads

Vernon Brown_4 — Sat, 24 Jul 2010 15:03:08 GMT

Web pages served out by my web server have double underline links added to text on the pages. I researched and found that Vibrant Media created the technology and that intellitext.com and kontera.com serve out the spam ads so linked.

I'm running Apache web server and named on the internet, but do local access through 192.168.1.xxx type links. The links appear on the thus served out.

Has my server been hacked?

I've looked at running processes and don't see anything unusual. I rebooted the server.

My concern is that my server may be serving out spam ads.

Re: Double underline ads

Vernon Brown_4 — Sat, 24 Jul 2010 17:51:14 GMT

Update:

I unpluged my router from the DSL modem. My Apache server still serves out local pages. The ad links are gone.

I pluged my router back in to the DSL modem. Double underline ads then appear on my own pages served out from my own local server.

Re: Double underline ads

Matti_Kurkela — Sat, 24 Jul 2010 18:04:57 GMT

As far as I understand, those ads are based on small piece of HTML included on the page source, that tells the browser to load from intellitxt.com the javascript that adds the advertisements to the content. So it is the client browser that does most of the work.

The code is normally at the end of the HTML file, just before the tag. It should look somewhat like this:

< !-- start Vibrant IntelliTXT script section -- >
< script type="text/javascript" src="http://yourdomain.us.intellitxt.com/intellitxt/front.asp?ipid=1234">< /script >
< !-- end Vibrant IntelliTXT script section-- >

See the Vibrant Media's instructions for implementing IntelliText:
http://www.vibrantmedia.com/publishers/implementation.asp
(For removal, simply reverse the instructions.)

Ask your web content designer (or whoever makes the decisions about the web content) if this is intentional and appropriate.

Counter-arguments:

- The intellitext.com/kontera.com maintainers can get information about the usage patterns of your internal website, through the referrer information passed by the client browser when fetching the ads. This can be considered an information leak.

- Who gets the revenue from this ad campaign? (If this is the web content designer's own idea, does the money go straight into his/her pocket?)

MK

Re: Double underline ads

Vernon Brown_4 — Sat, 24 Jul 2010 19:20:44 GMT

Thanks, that's good to know. However, I wrote the html code for web pages that I see the ads on. I'll check the pages to see if they were somehow hacked.

Re: Double underline ads

Vernon Brown_4 — Sat, 24 Jul 2010 19:49:33 GMT

I looked at the web page source html of a page that I see the ads on. I didn't find any thing extra in it.

I'll write a test page that's very short and see how that works.

Re: Double underline ads

Vernon Brown_4 — Sat, 24 Jul 2010 20:54:33 GMT

Update:

I think I know what may be happening. I suspect that after viewing a page that has the code that summons the java script, the script stays active in the computer memory.

Subsequent pages that do not have the java summoning code are never-the-less, text linked.

Re: Double underline ads

Vernon Brown_4 — Wed, 28 Jul 2010 14:56:45 GMT

Update:

I discovered unusual activity by my name server, named. It's purpose is to serve my local non-routed network.

About every three seconds it sends a packet even though no local requests are made to it.

My logs show no activity from IntelliTEXT.

Does anyone know of spam activity involving compromise of name server and double underline ads on text?

Re: Double underline ads

Vernon Brown_4 — Thu, 29 Jul 2010 10:56:24 GMT

Update:

Shut down name server and use HOSTS file for local network nameserver. Double underline ads are gone.

Just as a heads up. There is a spamer who uses named to send double underline link spam.

Will configure named to run in chroot jail, but doubt that this will help. The compromise to named seems to be overflow of the named input buffer.

Does anyone know of a packet sniffer that can capture packets going to the bind port 53?

Re: Double underline ads

Patrick Wallek — Thu, 29 Jul 2010 14:35:52 GMT

Wireshark should be able to catch these.

Re: Double underline ads

Vernon Brown_4 — Thu, 29 Jul 2010 15:02:38 GMT

Thanks Patrick; I'll give it a try.