Site being hacked - injection into tracking code snippet

plschneide · March 17, 2025, 6:44pm

One of my sites (on the latest release) keeps getting hacked and they are injecting code into the “tracking” area where we have our google tracking code.

E.g., injecting in with the google code.

mesuva · March 17, 2025, 6:58pm

Are you sure it’s not just Google tag manager inserting extra scripts?

If you actually view the HTML of the page directly, can you see these scripts?

A URL would help here.

Cahueya · March 17, 2025, 6:59pm

I havent heard of it before, but it seems to be a known issue:

plschneide · March 18, 2025, 12:21am

Yes so you could see in the tracking code

A week earlier there was something similar added in

plschneide · March 18, 2025, 12:51am

Related question - I was trying to find where the tracking code was stored in the CMS system. Looks like it is in application/config/generated_overrides/site.php - is that correct or am I missing something?

webpresso · March 18, 2025, 1:38pm

Yes this is right. Thats the place where this is stored.

Cahueya · March 19, 2025, 5:40am

I think adjusting the Content Security Policy in the server configuration will stop that issue.

Like so:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted-scripts.com";

Cahueya · March 19, 2025, 5:42am

This will only allow loading javascript from https://trusted-scripts.com and nowhere else. Adjust it to your needs, your site might load ressources from other domains as well.

plschneide · March 23, 2025, 8:05pm

BTW god idea - did some tests and there are at least a few things I would need to do to change the site to allow that to work (many items being blocked that are legit at the moment). As a temp workaround, I wrote a script that looks to the site and if the google script changes from what it should be, it notifies me and then rewrites it to what it should be.

JohntheFish · March 24, 2025, 2:34pm

This all seems a bit elastoplast. Patching over the symptoms rather than resolving the original cause.

Whilst such measures are valid, they are secondary measures. You need to find out how the site tracking codes are being repeatedly hijacked (from a server account, from a site admin account, from some dodgy php added to the site, from a cheap hosts advertising dept, … ) and lock that down. If in any doubt, change all hosting and admin passwords now.

plschneide · March 25, 2025, 12:26am

Yup no disagreement there and did change all the passwords to be sure combed logs - nothing has come up as a clear root cause and it hasn’t happened again in a couple weeks - but of course that doesn’t mean anything. Next steps will be upgrading server (current setup was reaching eol - this just speeds it up)