Unknown scripts are prepending before html body close tag

Question

From today morning, i found some unknown scripts are prepending just before the "body" close tag, The scripts are :

<script> var addthis_config = {"pubid":"ra-554ac5c71847b3c2"}; </script><script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-554ac5c71847b3c2"></script>
<script> if (addthis && addthis.layers) { addthis.layers({'share':{'mobile':false}});}</script>

I had not added this piece of code to the website. I was searching for the root cause for this. But until this moment i cannot find a solution to remove this script. What i did/observed so far :

Removed "body" close tag : No script

Tried to add an html file(with basic tags) index.html file : found the script is injected right before the body close.

Scripts are only seen at the home page.

The files uploaded to different hosting with a different domain : No scripts

The web server is Apache, and the content of .htaccess is as shown below:

<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

RewriteEngine On

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)mywebsite\.ae [NC]
RewriteRule ^(.*)$ http://www.mywebsite.org/$1 [R,L]

RewriteRule ^(.*)/$ /$1 [L,R=301]

# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

The website is hosted with Amazon Web services. Does anyone have such an experience before ?

Answer 1

Finally I found the root cause !! Actually the page was served via a different IP rather than the real hosting IP(May be a DNS attack ?). I found this while inspecting the header under the developer tools ->Response header :

via : Stark 1.0 (Something like this).

Then I tried The public IP of the AWS hosting & the scrip was not appearing at all.But if i try to load the website by domain name, This Via header is set. So i informed the domain registrar about this issue, dont know how they fixed this issue.

Answer 2

As you write in comments:

yes only from the specific domain, i tried uploading the same files to a different hosting associated with another domain & the script is not shown there

What is adding this script to website?

Your hosting want to get more visitors, so adding this plug-in inside your webpage.

What this plug-in doing?

This plug-in is creating links to social sites and other links... so if you are searching you website on google you can side more than you have on your page, like social links, etc. You can read about it here.

What to do to prevent this?

You can see or download script at this address. If you are using any free hosting, it is usually why do you have this "ads" in you website, else if you have normal paid hosting try to contact support and ask why do you have this script on website or try to deactivate it in website admin.

Answer 3

http://www.addthis.com/academy/the-addthis_config-variable/

Either the page you are viewing is using addThis, or a third party script is adding it.

If this is your page, and you want to find out whic page is adding it, put this code at the top of your page

document.createElement = (function () {
   var _realCE = document.createElement;
   return function (name,options) {
      if (name.toLowerCase() === 'script') {
         try {
            throw "script added to page";
         }
         catch(e) {
            console.warn(e.message);
            console.warn(e.stack);
         }
      }
      return _realCE.apply(document,arguments);
   }
})();

It will spit out a stack trace anytime a script creates another script tag. This should give you enough to figure out which script is doing this to you.