Was I hacked? “kosa-target-image” issue

One of my client websites was built using CMSmadesimple. It’s a robust content management system that I enjoy using for the most part. While editing a page on my client site, I discovered some odd code that I did not knowingly insert. The code was as follows…

<img id="kosa-target-image" style="position: absolute; visibility: hidden; z-index: 2147483647; left: 325px; top: 28px;" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAUCAYAAACJfM0wAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAK8AAACvABQqw0mAAAAB90RVh0U29mdHdhcmUATWFjcm9tZWRpYSBGaXJld29ya3MgOLVo0ngAAAAWdEVYdENyZWF0aW9uIFRpbWUAMDQvMDQvMDhrK9wWAAACA0lEQVQ4jbXVz0sUYRjA8e+u6xqlKJUaBZuUh6AfhyCEpUN/QIR0skMh6iHwsKe6lFu4HjpJhy5BS1CsZtDSrYMYdPHUZauDbhcpi7bEH2DOtjvP83aY3dFxxi1hfeAd3nlhPu/zPjPvOyHgKnsQEQDz60kaaKuTuRpqHxqMAKBWvVCoJOjAxqqj60Q1Y3fg05dWki/OMjt3+L+A+KklRvs+cia2VhtOTsYpN5wgl4nReTCM6s7o96UyA6kFkpNK9tZMEFx0B2bnO8hlYky/L5N9V2TDsinbgohi207fFqGxwZDoO0T67nEu9FseAyAMODWuNqC9LczUTBGrKIgqqgYRQdSgqogovy2b8YkCxzqiBBlOxuJ/earqIqqKbMfVsLYuGGMIMnb8KkTUk60HNwapTOqGCYLVDzdGDH9Km1mKiDOBMe4qmqJbl+g1wu5gtQGFZWHw8gFam/GXoILubwpxf+go336WCDJ8pYh35xkYayZ9J8aVi52+lZgt18VCif7RBeLd+X+XItX7nJHXyvkb6wD8eHOOqekVEuNffZM4icyR6s34SuGDTx/Jk715D4CTIy959XaFB0/n+Tw2TMu+jUDcMby3vg2yPW4/WuTxtYe0RJd9D9eKmodQT1eOxKVn9HR9qJZ1l3DABgGYuD7sdGR36CZsrFXqeNADhNijX9NfAyI+Sz1Sug0AAAAASUVORK5CYII=" alt="">

Quite odd I thought. Where could this have come from? Was I hacked?

I experimented with the code a little bit. First thing I did was to change the visibility from “hidden” to “visible” and to change the “top: 28px” to a value of “top: 628 px” simply to move whatever image it was to a position on the screen below the rest of my content so I could easily see it. And lo and behold, here is what showed up…

Now isn’t that a little strange? It is nothing more than, what I would call, a speech bubble icon. It didn’t have a link around it, just a lonely, invisible, speech bubble icon.

So I went to Google and searched for “kosa-target-image”. Based on what I read, it seems that the base64 code is the actual speech balloon imaged embedded right into the block of HTML code. It was suggested in one thread that this code was the result of at one time having the Google extension Kallout installed. I’d never heard of that extension and had never installed it so that could not be the explanation for my particular situation.

I’m still miffed by this. I had recently upgraded my CMSMS installation from an earlier version and am wondering if it could have anything to do with either FCKeditor or tinyMCE.

I’ve snooped through my database with phpAdmin and could only find a single instance of the weird code. So it does not seem like a hack job. I don’t know what it is or was. I’ve deleted the code and will remain vigilant. I’d sure like to know if you’ve seen this and what your thoughts are.