Is my ISP injecting JS line ?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Is my ISP injecting JS line ?

Post by anjanesh »

Hi

I got a situation.
Whenever I browse the net, I get the following line injected at the top of the HTML page.

Code: Select all

<SCRIPT LANGUAGE="javascript1.2" SRC="http://x.222360.com/un.js"></SCRIPT>
If its not x.222360, its s.222360 etc. (I've added these to my hosts file)

I formatted my hard-disk, re-installed my OS and it still persists.

I tried a small php code to get the html contents using file_get_contents.

Code: Select all

php file_get_contents.php > temp.txt
Guess what ? That Javascript line still exists !

What I would like to know is, is this 100% confirmation that this issue is from my ISP's side & not from my PC ?

I understand if all my browsers (FF 2.0.0.11, IE7, Safari 3.0.4, Opea 9.5 beta) are hikacked (Im never in admin mode anyway, only User), but a php code retrieving the contents ... I dont think php.exe got hijacked.

Worse part is, it doesnt happen 100% of the time - say 65% - 85%.

Thanks
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Whoa! My first instinct would be that your computer has been compromised although you did reformat your computer... this is just scary stuff. Visiting the domain name http://222360.com/ it is a domain squatter page. A quick whois reveals not much information other than it is somebody trying to mask their identity.

Code: Select all

Domain name: 222360.com

Registrant Contact:
sdfads sdfa
asdf asdf (manage@222360.com)
+682.8888888888
Fax: +420.8888888888
asdf
asdf, HONGKONG 100000
CN

Administrative Contact:
sdfads sdfa
asdf asdf (manage@222360.com)
+682.8888888888
Fax: +420.8888888888
asdf
asdf, HONGKONG 100000
CN

Technical Contact:
sdfads sdfa
asdf asdf (manage@222360.com)
+682.8888888888
Fax: +420.8888888888
asdf
asdf, HONGKONG 100000
CN

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-se
Very scary indeed.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

The js seems to be obfuscated as well. Quick test - boot from an ubuntu live cd or clean linux install and see if the problem is still there.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I dont want to install linux on my Windows PC.

Code: Select all

<?php
$url = "http://forums.devnetwork.net";
$c = file_get_contents($url);
echo $c;
?>
What I would like to know is, how can the above code have the injected JS line if its my PC thats infected ?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

anjanesh wrote:I dont want to install linux on my Windows PC.

Code: Select all

<?php
$url = "http://forums.devnetwork.net";
$c = file_get_contents($url);
echo $c;
?>
What I would like to know is, how can the above code have the injected JS line if its my PC thats infected ?
You don't need to install it to run it -- hence Ubuntu Live CD
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

The live Ubuntu CD means that you can boot from it, run it, use it and then turn it off. It can even allow you to see your files on your Windows partition if you want.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Where do the temporary files get stored when booting from Ubuntu Live ?
I have a 40GB NTFS hard-disk that has my WinXP OS and software Another 250GB NTFS for my data.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Everything lives in RAM. There is no writing to disk. Seriously, there is nothing to worry about. I do it all the time just to play with it.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I surely will download and give it a try. Need to download.

But coming back to the original question ...
how is it possible for that php snippet to get that JS line injected into the html page ?
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Are you sure it's not a browser thing? Maybe an extension? If you backed up your firefox profile (like I would) then the extension would have survived the format.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I would venture to guess that it's either your ISP, a rogue employee working at the ISP, or someone is hacking your ISP's routers. Especially considering that you reinstalled Windows. Did you reinstall from an original MS or OEM CD?
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I reintalled my OS and installed FF - with 0 extensions. I was hoping to solve this first and then install the extensions.

Btw, I ran the php code via command-line - not via the browser.

Code: Select all

php file_get_contents.php > output.txt
Did you reinstall from an original MS or OEM CD?
OEM OS - the one that came with my HP PC.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

And you're connected directly to your router or cable modem? Hardwired or Wireless?
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Hardwired. Using Sify.

I unnecessarily re-installed my system. Its been 3yrs since I've done a format + OS re-install since Im pretty secure on hijack related issues.

Anyway, this still is happening and its not something I can do much about - except block using AdBlock extension, adding entries in hosts file etc.

Apparently, this is a result of an attack on open ports and somehow manages to inject on the way (gateway) - definitely not happening on my PC.
(http://www.experts-exchange.com/Virus_a ... 49938.html)

Very often my net is slow probably because of this continuous attack.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I've suffered similar in the past and all I could was inform my ISP and ask them to investigate.

The reason these attacks occur is usually one of two, DDoS, and to greatly increase the value of a domain (lots of hits.)
Post Reply