June 26, 2017

Was I hacked? “kosa-target-image” issue

One of my client websites was built using CMSmadesimple. It’s a robust content management system that I enjoy using for the most part. While editing a page on my client site, I discovered some odd code that I did not knowingly insert. The code was as follows…

<img id="kosa-target-image" style="position: absolute; visibility: hidden; z-index: 2147483647; left: 325px; top: 28px;" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABYAAAAUCAYAAACJfM0wAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAK8AAACvABQqw0mAAAAB90RVh0U29mdHdhcmUATWFjcm9tZWRpYSBGaXJld29ya3MgOLVo0ngAAAAWdEVYdENyZWF0aW9uIFRpbWUAMDQvMDQvMDhrK9wWAAACA0lEQVQ4jbXVz0sUYRjA8e+u6xqlKJUaBZuUh6AfhyCEpUN/QIR0skMh6iHwsKe6lFu4HjpJhy5BS1CsZtDSrYMYdPHUZauDbhcpi7bEH2DOtjvP83aY3dFxxi1hfeAd3nlhPu/zPjPvOyHgKnsQEQDz60kaaKuTuRpqHxqMAKBWvVCoJOjAxqqj60Q1Y3fg05dWki/OMjt3+L+A+KklRvs+cia2VhtOTsYpN5wgl4nReTCM6s7o96UyA6kFkpNK9tZMEFx0B2bnO8hlYky/L5N9V2TDsinbgohi207fFqGxwZDoO0T67nEu9FseAyAMODWuNqC9LczUTBGrKIgqqgYRQdSgqogovy2b8YkCxzqiBBlOxuJ/earqIqqKbMfVsLYuGGMIMnb8KkTUk60HNwapTOqGCYLVDzdGDH9Km1mKiDOBMe4qmqJbl+g1wu5gtQGFZWHw8gFam/GXoILubwpxf+go336WCDJ8pYh35xkYayZ9J8aVi52+lZgt18VCif7RBeLd+X+XItX7nJHXyvkb6wD8eHOOqekVEuNffZM4icyR6s34SuGDTx/Jk715D4CTIy959XaFB0/n+Tw2TMu+jUDcMby3vg2yPW4/WuTxtYe0RJd9D9eKmodQT1eOxKVn9HR9qJZ1l3DABgGYuD7sdGR36CZsrFXqeNADhNijX9NfAyI+Sz1Sug0AAAAASUVORK5CYII=" alt="">

Quite odd I thought. Where could this have come from? Was I hacked?

I experimented with the code a little bit. First thing I did was to change the visibility from “hidden” to “visible” and to change the “top: 28px” to a value of “top: 628 px” simply to move whatever image it was to a position on the screen below the rest of my content so I could easily see it. And lo and behold, here is what showed up…

kosa-target-image-1-1

Now isn’t that a little strange? It is nothing more than, what I would call, a speech bubble icon. It didn’t have a link around it, just a lonely, invisible, speech bubble icon.

So I went to Google and searched for “kosa-target-image”. Based on what I read, it seems that the base64 code is the actual speech balloon imaged embedded right into the block of HTML code. It was suggested in one thread that this code was the result of at one time having the Google extension Kallout installed. I’d never heard of that extension and had never installed it so that could not be the explanation for my particular situation.

I’m still miffed by this. I had recently upgraded my CMSMS installation from an earlier version and am wondering if it could have anything to do with either FCKeditor or tinyMCE.

I’ve snooped through my database with phpAdmin and could only find a single instance of the weird code. So it does not seem like a hack job. I don’t know what it is or was. I’ve deleted the code and will remain vigilant. I’d sure like to know if you’ve seen this and what your thoughts are.

Comments

  1. Nathan Hawks says:

    One of my clients just had this show up twice in a single article in a Joomla site. I’m fairly concerned. I use Firefox most of the time, I think he uses Safari on MacOS most of the time – however we both test things with multiple browsers, so there’s really no saying where it could have come from. Did you ever learn more about this?

    • Michael R Erb says:

      Hey Nathan, it remains a mystery to me.

      I don’t know where it came from.
      I don’t know how it got there.
      I just don’t know.

      I removed the code and it has not returned. I do not believe it had anything to do with being hacked though. There simply is no evidence of that and no further damage or alterations that i have been able to discern. It’s just one of those things that I have no explanation for other than to say that it -could- have been a result of a module or something. Until it happens again and I’m able to research it again, I just have to let it go since it hasn’t affected my site further. I’m not totally comfortable with that resolution, but not much else I can do at this point.

      • Nathan Hawks says:

        Ok, well, thanks for the reply. In my Googling, all roads seemed to indicate Firefox was inserting an icon from its active theme, perhaps due to an accidental drag’n’drop. In any case, same resolution here – as long as I can feel sure my client wasn’t hacked, the issue rests ๐Ÿ™‚