At the same time I notice that a link to the following address:
http://new.addfreestats.com/?usr=00911093
has been embedded in the top left of my front page. It's only about a pixel in width and maybe ten or so pixels in height. There is no visible link but mousing over that area shows the destination in the browser status window.
I've checked the server logs and the only thing that I can find so far that looks suspicious is a single call to
mydomain.com/help.php?module=data&file=fields.html
from an IP in Russia.
This is a very low traffic site. (www.moodlemootmishima.com) that is used for a Moot we held yesterday. I don't know if someone decided to be cute by hacking the site on the day of the Moot or what but if that is the case I guess it is quite imperative to figure out how.
I don't think I am posting a vulnerability here.....as I don't know how this was achieved?
If anyone has any info. or advice I would be most appreciative.
Also, checking the source of the front page reveals the following
<script type="text/javascript"> var AFS_Account="00911093";var AFS_Tracker="auto";var AFS_Server="www9";var AFS_Page="DetectName";var AFS_Url="DetectUrl"; </script> <script type="text/javascript" src="http://www9.addfreestats.com/cgi-bin/afstrack.cgi?usr=00911093"> </script> <noscript> <img src="http://www9.addfreestats.com/cgi-bin/connect.cgi?usr=00911093Pauto" border=0 width=0 height=0>
</noscript>
Jason