<div dir="ltr">You'll likely find it's in a .htaccess rewriting via a php file. Had a few customer sites with that happen. Tends to set a cookie, so you'll only see it on first visit. Or in a few cases, ONLY web crawlers will see it. So visitors will never see it, but google crawler sure will!</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On 8 July 2014 12:10, Zone Networks - Joel <span dir="ltr"><<a href="mailto:joel@zonenetworks.com.au" target="_blank">joel@zonenetworks.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-AU" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If you are not seeing the injection in the physical file and modified date is pretty old..<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Than sounds like Apache level injection.. you wont see the injection in the code as its done at the web server level<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>] <b>On Behalf Of </b>Cameron Murray<br>
<b>Sent:</b> Tuesday, 8 July 2014 12:03 PM<br><b>To:</b> <a href="mailto:ausnog@ausnog.net" target="_blank">ausnog@ausnog.net</a><br><b>Subject:</b> [AusNOG] Web Injection<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal">
<u></u> <u></u></p><div><p class="MsoNormal">Guys,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thought I'd post here to see if anyone else is seeing the injection at the very bottom of this site.<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><a href="http://www.jamboree.com.au" target="_blank">www.jamboree.com.au</a><u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p>
</div><div><p class="MsoNormal">We've tested it from various subnets of ours and some show the injection while others don't.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">
If you see it we'd be keen to see the path your going and if its via peering etc.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Cheers<u></u><u></u></p></div><div>
<p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Cameron<u></u><u></u></p></div></div></div></div></div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<p>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <span><a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br>
</u></span>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder</p></div>
</div>