I just found some hidden links when i was looking in the source code for a site i am building i Joomla when i found som hidden spam links.

I have used an hour trying to find them within some of the template files without luck. the links are following (from html source code):

<div id="jxtc-zt"><a href="http://magical-place.ru/" target="_blank" 
title="достопримечательности Европы">достопримечательности Европы</a></br><a 
href="http://joomla-master.org/" target="_blank" title="шаблоны Joomla 3.5">шаблоны  Joomla
3.5</a></div>

And this:

</div><div id="jxtc-zt"><a href="http://battlefield4.com.ua/" target="_blank" 
title="Battlefield 4">Battlefield 4</a><br><a href="http://www.absolut.vn.ua/" 
target="_blank" title="минеральные воды">минеральные воды</a></div></div></div>

Have you any suggestions how to find out where they are created?

It is probably obfuscated in some way?

Thanks

If you can't find word "Battlefield" in any of site's documents, try searching for (without quotes) :

"QmF0dGxlZmllbGQ=" (Base64 representation), 
"426174746c656669656c64" (Hexademical representation),
"Battlefield" (ASCII).

These would be most common ways to encode it.

If still no luck, then locate the code manually: delete small chunks of code in the main template file ( index.php most commonly ) and watch, if the unwanted link disappeared after delete. If it did - you have found the code, that is responsible for it.

Had the same problem, but found the solution.

The code is indeed hidden within the template under template_name\html\com_content\article\default.php. The text is encoded using base64 and I had 2 instances in mine, 1 for before the article and one at the end. The code used is:

<?php  if (!$params->get('show_intro')) :
    echo $this->item->event->afterDisplayTitle;
endif; ?><?php
$mgp='PGRpdiBpZD0iamItYmYiPjxhIGhyZWY9Imh0dHA6Ly9tYWdpY2FsLXBsYWNlLnJ1LyIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSLQvtGC0LfRi9Cy0Ysg0YLRg9GA0LjRgdGC0L7QsiI+0L7RgtC30YvQstGLINGC0YPRgNC40YHRgtC+0LI8L2E+PGJyPjxhIGhyZWY9Imh0dHA6Ly9qb29tbGEtbWFzdGVyLm9yZy8iIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i0YDQsNGB0YjQuNGA0LXQvdC40Y8gSm9vbWxhIDMuNSI+0YDQsNGB0YjQuNGA0LXQvdC40Y8gSm9vbWxhIDMuNTwvYT48L2Rpdj4=';
echo base64_decode($mgp);?>

I simply removed the code from the 2nd

<?php ~ through to ?>

in both links.

For those who have similar problems, I'd like to suggest a thorough solution.

A binary searching tool, like "Text-Crawler" or "String Finder" (for windows) comes handy, and then search for the "most uncommon word from the whole unwanted text" in the root folder.

Next as "Jevgeni Boga~" pointed out in the above answer, try to search for the hashed form of those strings, which could be base64,hexadecimal,aasci.

Now if you are still not able to zero in on the exact code, there is quiet a possibility that the hidden code is being fetched from te database rather than a file, so your next place to search is your database, and its quiet easy to perform a string search through "phpmyadmin" .

All you need to do is go the "phpmyadmin home" then select "your database" then select "search"....

Words or values to search for :=> "most uncommon word from the injected code"

Find:=> Leave default (at least one of the words)

Inside tables :=> Choose Select All Inside column:=> Leave blank..

Now if your "unwanted code" was hidden inside database, then you most probably shall get to it.

Now there is also a possibility as someone stated above, that the code as being injected by some script after the loading of the page, well you could be sure that this isn't the case, by disabling the javascript in your browser...

There are various other things to look out for... Like to check whether the code is in text format or is it just an image of the text... then if thats the case maybe then you have to look for that file like .jpg or .png... furthermore the image could also be parsed from the CSS using the "URLdata:image/png;base64" method...

or Lastly just search for the "iframe" tag, maybe that's iframed from some other source.