Malicious Advert Link In My Pages

Thought my site is scanned and appears clean by various scanners, I have some links to 2 ads on my pages that I dont know how got there. They are not showing on view source fo rthe page, can anyone help me how to find them and remove them. I have pasted images of the links so there are not linked.

first one (you can see the page it looks like it should be on, https://www.hivis.co.uk/hi-visibility/hi-vis-jackets.html

I did add a link for a dev to CMS magazine a while back and am unsure if this has anything to do with it

Thanks

John

malicious 1.JPG

maliscious 2.JPG

The adplexmedia is associated with your American Express/PayPal image. I can't find the other one.

Edit: It's acually an iframe not the image. Frame info shows this link https://www.multimatrimony.com/js/jQueryAddon.php?t=1. Here's the source.

cheers Tool

cheers Tool

youi should probably contact cs cart team to inspect this

Thought my site is scanned and appears clean by various scanners, I have some links to 2 ads on my pages that I dont know how got there. They are not showing on view source fo rthe page, can anyone help me how to find them and remove them. I have pasted images of the links so there are not linked.

first one (you can see the page it looks like it should be on, https://www.hivis.co.uk/hi-visibility/hi-vis-jackets.html

I did add a link for a dev to CMS magazine a while back and am unsure if this has anything to do with it

Thanks

John

I could not find the kuaptr.com link on your site.

If you can still see it, please contact tech support.

As possible case it could be an XSS link when you open your site page by a link from email or some forum.

I could not find the kuaptr.com link on your site.

If you can still see it, please contact tech support.

As possible case it could be an XSS link when you open your site page by a link from email or some forum.

I disabled the block for that image imac, I will contact support

John, it's not the paypal image as I re-stated in my first post. There is something along the entire right side of your page. I think it has something to do with the page up.?

Seems like a malware

https://malwr.com/analysis/NjlmMWUxZDBjYjY2NDA3OGI4MTg4ODEwZjcxZTJjOTI/

John, it's not the paypal image as I re-stated in my first post. There is something along the entire right side of your page. I think it has something to do with the page up.?

sorry I thought you meant the amex image, Ill give it a look, cheers.

disabled the easy scroll do you still see it tool ?

JOhn

It's no longer along the entire right side but it is still at the bottom right side. Just hover in the area and you will see it.

I just discovered that it's on the bottom left too but you can only see it with the browser inspector.

Thanks tool,

update this morning cs support have said it has sorted it for me.

We have examined this issue. The malicious code was added into the js/tygh/product_image_gallery.js. We have backuped your file and uploaded the original one. Now the issue does not reproduce.

Please check it and let me know the result.

Next question, how did it get there, and how do I shore it up so it doesnt happen again, is it something Ive done or was it part of the image gallery addon ?

Ive changed all passwords etc


Next question, how did it get there, and how do I shore it up so it doesnt happen again, is it something Ive done or was it part of the image gallery addon ?

Hi, you should enable mod_security on your server. It will help to block the most spammers and hackers to put some injection codes into your files, or to create new files with malicious code.

Thanks tool,

update this morning cs support have said it has sorted it for me.

Next question, how did it get there, and how do I shore it up so it doesnt happen again, is it something Ive done or was it part of the image gallery addon ?

Ive changed all passwords etc

I've took a look at your server.

Looks like all js files were changes or uploaded on Nov 4, 2016. Besides as I can see permissions on these files are ok.

But I see some other suspicious files on your server like json_post.php. Also there is prepare.php, why?

So my recommendation is to clear all the odd files and after that changes all passwords once again.

Please use Changes Detector in order to make you don't have some other suspicious changes.

I've took a look at your server.

Looks like all js files were changes or uploaded on Nov 4, 2016. Besides as I can see permissions on these files are ok.

But I see some other suspicious files on your server like json_post.php. Also there is prepare.php, why?

So my recommendation is to clear all the odd files and after that changes all passwords once again.

Please use Changes Detector in order to make you don't have some other suspicious changes.

not sure about the json_post.php says wordspress info in it so I have downloaded that,

prepare.php is probably left over from cs v 2.12

There is also a file on there private.php from 20th feb 2017, looks like php test script, can this be removed

http://prntscr.com/esnnyo

Thanks for taking a look