A Google Groups thread has several smart webmasters aiding a webmaster who found links on his site via the Google cache. In short, the links are not visible when viewing the page in the browser, but they are visible when viewing the page via the Google Cache. He asks how can this be.
One of the cool parts of this thread is that the webmaster won't give up the URL of his site. So we have smart webmasters and even Googler's offering ideas on how a link can end up on a site without knowing about it or seeing it.
JLH tells the webmaster to try changing their useragent to see if it is a cloaking thing. The main thing is to first find the problem, then find the source, and then get rid of it. Googler comes in and adds:
JLH beat me to the punch. Thanks for the quick, thorough response, John! I'm sorry to hear about your site--but I agree with his diagnosis. I still wish we had a URL to look at to confirm our suspicions, though.
To fix the problem, I'd look for any scripts (asp, aspx, etc.) that you didn't write, delete them, and update any CMS you are running, since CMS's are the most frequent targets of hacks. Usually security holes are used to upload scripts that create and hide the text.
In this case, what was the issue? One of the pages had some bad "code in some user controls (.ascx)." The webmaster added:
One of the files had this script in the page. I deleted/cleaned the page and pasted in to the production environment. We have Front Page Server Extensions and Web DAV.
This is not uncommon at all.
Forum discussion at Google Groups.