technobear — 2011-09-15T12:18:09-04:00 — #1
I've just been asked to do a complete revamp of a site built by somebody else. I've been taking a look to see what's there, and found a (to me) very odd construction. There are a series of small images, which one clicks for the larger image - except that it doesn't work like that and I've never seen this technique anywhere. The HTML reads
The .html file referenced in the <img> tag contains
<meta http-equiv="refresh" content="0;url=http://**.***.***.**/" />
followed by a vast array of numbers, in groups of three, commented out in the HTML. There is a separate file for each image, but the content is identical, as far as I can see.
Clicking the small image opens the URL in a new window. There are no images, just a series of links. I've checked the IP address of the URL in hpHosts Online, and it's associated with a long list of dodgy sites.
My question is basically: was this ever a genuine method to display a large image, or has the site been hacked at some point, or what?
felgall — 2011-09-15T15:38:47-04:00 — #2
technobear — 2011-09-15T16:57:10-04:00 — #3
Thank you for that reassurance. In that case, it fits nicely with the rest of the site, which has been written by somebody with only a hazy notion of HTML.
scallioxtx — 2011-09-15T18:14:32-04:00 — #4
Looking at that snippet you're probably better off ditching all existing code and start over from scratch. That will probably be less work than trying to fix what's already there (unless we're talking about a very, very large website of course).
And yes, that weird URL stuff looks like the site was hacked / tampered with. Putting a .html as an img src filled with crap has the smell of black hat "SEO" all over it.
mmj — 2011-09-16T02:41:48-04:00 — #5
Looks like the site was hacked at one point.
Look at it this way:
- The pages don't actually work
- The pages containing the dodgy redirects otherwise contain large lists of dodgy sites.
technobear — 2011-09-16T08:38:02-04:00 — #6
I'd already reached the same conclusion. For a start, it's using a table for layout, but the one part of the site that contains tabular data is not marked up as a table. It's marked up as a series of <ul>s, each containing a single <li>. All very odd.
Ah, now that was what I was afraid of. As yet, I don't have access to the server to see if there's any other evidence of foul play but that stuff set my alarm bells ringing.
@mmj Thanks for confirming the suspicion.