Is my ISP injecting JS line ?
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Something isn't right here.
From the information that has been provided it would seem that an Internet backbone is injecting it, which isn't probable.
Did you test this using an Ubuntu Live CD as I recommended? And why do you still have JavaScript enabled still when you know some of it is coming from untrusted sources?
I'm having a hard time buying your story. What does port injection have to do with this? What evidence do you have to support that port injection is indeed occurring? Do you think that is possible? Do you think that would work on every single http request made? What if you request an image, executable or binary? Is this js line limited to a specific mime type or is it injected into all responses from all servers with a specific header?
From the information that has been provided it would seem that an Internet backbone is injecting it, which isn't probable.
Did you test this using an Ubuntu Live CD as I recommended? And why do you still have JavaScript enabled still when you know some of it is coming from untrusted sources?
I'm having a hard time buying your story. What does port injection have to do with this? What evidence do you have to support that port injection is indeed occurring? Do you think that is possible? Do you think that would work on every single http request made? What if you request an image, executable or binary? Is this js line limited to a specific mime type or is it injected into all responses from all servers with a specific header?
No use complaining to ISP if others arent complaining. Tech support at level is not possible.I think you need to escalate this issue to the next level at your ISP. It is crap that they are doing that to you (and goodness knows how many others).
Its true that its going to prove that - but afterFrom the information that has been provided it would seem that an Internet backbone is injecting it, which isn't probable.
formatting my primary hard-disk (second hard-disk just contains all my data)
re-installing XP SP2
didnt add any FF extensions (only AdBlock Plus a while later)
use only User group mode (never in admin unless for installation)
checked with php code by file_get_contents()
- and still occurring - I cant see how it be my PC is affected. And moreover - there are others mentioning this have same issues.
Download issues - based on a pattern of complaints, its possible that that script is giving a DoS attack, since most cant seem to download and a webpage takes forever to download (when this attack is active). Apart from the fact that Im on a 256kbps.Did you test this using an Ubuntu Live CD as I recommended?
This is going to take a while to resolve - I've already spent over 1 week on this thinking it was my PC that was infected somehow (inspite of CCleaner, Spybot S&D, AVG AV, HijackThis all reporting 100% clean). I got to get back to web-dev stuff which requires JS and AdBlock Plus extension is good enough to blockwhatever I want (JS, images, CSS, frames etc). Im obviously not using IE.And why do you still have JavaScript enabled still when you know some of it is coming from untrusted sources?
Me too - but after reading the expert-exchange thread, I was pretty sure it wasnt PC related.I'm having a hard time buying your story. What does port injection have to do with this?
"port injection" in the sense - attacking a port by continous DoS thereby slowing down the internet. Nothing to do with the JS line injection - but it ALWAYS happens when the JS line injection starts.
well .... Something is definitely going on.What evidence do you have to support that port injection is indeed occurring? Do you think that is possible?
Once the JS line injection is active, the connectivity becomes terribly slow for everything.Do you think that would work on every single http request made? What if you request an image, executable or binary?
Only HTML, XHTML pages. It isnt getting inserted into RSS, or exe files.Is this js line limited to a specific mime type or is it injected into all responses from all servers with a specific header?
Unfortunately most of the results on 222360.com are in chineese and the translation is not all that easy to read.
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
I dont think it get into https pages (not sure, its definitely not in google pages)This should be easy: HTTPS should be clean as it is encrypted and signed. Can you surf to a site like that and see if the js persists?
Btw, new crazy activity. I was checking out my Apache logs.
What on earth is this ? I dont have any bitTorrent s/w installed.
I have Flashget 1.90 which I havent run in more than a week since I've decided to use gnuWin32 wget instead.
And how is that some of these are returning 200 HTTP status codes ?
Example:
Code: Select all
71.181.173.208 - - [07/Jan/2008:09:10:26 +0530] "%J\x9d\xbf\xfc\x9dh" 200 -apache access.log :
Code: Select all
84.203.83.71 - - [07/Jan/2008:01:40:29 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:44:31 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:45:32 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:45:58 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:46:38 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:47:08 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
82.224.102.208 - - [07/Jan/2008:01:47:22 +0530] "\x02\xa3\xd3\x90\x9e*\xe6\xaf\xb2\x8f\x84\xde\xd2^x\xc3\x84\x9f\xde\x90*\xbf\x1fh\xdb\x9d\x12\xe1\xc1q\xac,\x91\x0e\xe1\xa5\xcb\xc6f]rxE" 200 -
84.203.83.71 - - [07/Jan/2008:01:48:13 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:48:52 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:50:10 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:51:00 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:51:33 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:51:56 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:53:30 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:56:30 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:58:36 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:59:09 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:01:12 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:03:33 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:04:25 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:05:06 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:05:45 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:06:34 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:07:33 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:08:34 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:10:38 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:11:11 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:12:39 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:13:27 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
59.167.108.131 - - [07/Jan/2008:08:57:17 +0530] "\xf3\x13G_\x13Z&-\xba\xa0\x12\xd7c:\x84\xec\xa7\x9dI!\x1fX\x0fV\xb1\x8e\x0eO\xf3kP\x0e\xa5\xcelI\xd9\xfd\xe6J\xb2Y\x03^6K\x05\x1dx\xb0\xfb7\xf8D\xb1\xb6F\x96\xce-|\x80A\xcc\"\xff\xe5\xb2\xadjK\x86\xf6^\x04\xcc\xde{5(/\x98*n]\xba/\x14\xef\xdf~S\x03]|\xb4\xad\x0e\xfa\\\xd6h.\x9b\x12y\xc4\x8d\x7fT\xb5\xb1\xb7\x83\xf2J\x86\xd4\x9ao),\xf3\xf7\xf7\x07},a\xf7\x1b2\x8b\xf8r\xc6\xac=\xfd\xc2\xbe\x93(a\xc3\x18J\xa6\x93\xbc\x8fA\x04\xa7\xb3\x96P\x9f6\x1f\xed\xbe\x15\x15\x8fW&\xdc\x1b\x15\x1b)L\xec\xf3`~\x94\xf8z\xe8\xd0\xf5/(\xbe\xfd\xaf\xb3\xda\x13\xe0\xc0\x89/\xe2\xba\x85X'E\x8d\x14\x8b\xc4\xf8\xd6\xcf!\t \xe1$X\x1a\x01a\xa4\xdd\xb3\xa7\x1cP\x81aM\xde/_\xd1\x9b\xc0!\xd6e\xfd9\xc3\x16\xc6[k\xb2\xab\xb4\x9d\xd6\x0ee\xc8\xf4\x04\xa4o\x13\x0e\x11$\x85\xb1\x0f\xf4\x8e\xb7}\xb3\x84\xa6\xd9_o5\x9by*\xbb\x9c\xf0%\x97,\r\xe0\xca\xadd\xdd\xa10\xcaB7H\xf0\x83|\xe9" 400 226
68.49.115.32 - - [07/Jan/2008:08:58:16 +0530] "\x17\xdc\xe7\xbd3\x18\xe1\x86\xba\x99\xc2L\x88\xd2g\xf6\xe9\x12\xb1>\xecU\x9b\xb8\x97\x03\xb4\xe6Z\xd6\x86\xcc\xfeW\xad\xdd\"\xfe2\x9d?'\xb0\x8f\xf9" 200 -
59.167.108.131 - - [07/Jan/2008:08:59:17 +0530] "\xf3\x13G_\x13Z&-\xba\xa0\x12\xd7c:\x84\xec\xa7\x9dI!\x1fX\x0fV\xb1\x8e\x0eO\xf3kP\x0e\xa5\xcelI\xd9\xfd\xe6J\xb2Y\x03^6K\x05\x1dx\xb0\xfb7\xf8D\xb1\xb6F\x96\xce-|\x80A\xcc\"\xff\xe5\xb2\xadjK\x86\xf6^\x04\xcc\xde{5(/\x98*n]\xba/\x14\xef\xdf~S\x03]|\xb4\"\xaf*'pV\x89\xaen\xc6\xcaw\xe4\xb6\xdb\x95\bpy[\xa6\x8e@zz\x9e}j\t\xc4\xe5\x0f\xfb%Gd$\x92\xd9\x81\x8c\\\x92\x8c;\x0cg%:\xfcv\xa5>\"\xef\x9c\xb7-\xecv\x11\xdf\x19\x16\xb0\x91\x93\x15\x81\xad\x96]\x12$\x9bt\xf7\x89\xe1\x87\xba4d/%\x84c\xb4nK\xe1p\xf7*\xda/\rF\x0c\xa2\xe27\xedUH\x0eR\x0c\xfa\x07\x8c\xec\xf6T\x7f\x11\xf5\"P\xd2\x87Y\xb7\xcb\xed\x98\x05\x92n,W" 400 226
99.233.141.118 - - [07/Jan/2008:09:09:36 +0530] "\x8a" 200 -
68.149.182.249 - - [07/Jan/2008:09:10:03 +0530] "\xc4\xea\xb0\xba\x1d\x93\xf8\xa3\x84\xcc&\xaf\xa0~\xd3\xdb\xdd$\x14\x8a\xb2\xda)|L%\x8d0\x97\xa4\xf1\x88fA\x8f\xc6\x94U.\x05R\xc0\xf5\xa6\xc0Z(\xe2.\xd0k*g\xc2~y\xd6\xfe\xc3R\xec!\xf5+M_\xd2GP\xc6\xa0[/\x8e/`oc\x1c\xe3KS&\x8c\xfau4\"3\x8amh\x97&Q\x07\xc7\v6\xc4T\xfb\x88\x1b\x1f\xb6\xe8\x9bH\x8f\xa5\xc9\xfb8\x9eg\x80w\xe6<1k\x8b\xa1\x1b\x84\xe9\xa4;\xc1\xcaR\xa4\xd2\x05\xc6\x12,db\x93\r\x01y" 400 297
193.77.76.197 - - [07/Jan/2008:09:10:07 +0530] "\x13BitTorrent protocol" 400 226
24.4.248.49 - - [07/Jan/2008:09:10:20 +0530] "\x9c\x04\x98\x91(\xf0\xdc\xda\xa8c_(\xae1C\\\xbd\xef7\xb8\x8c\x1b5\xb2\xc2sk\x9eQ\x99\x85\xdbd\x17k\r\x10\xe5(\xd8Zd\xd9\xfb\x87A\x84c\\\xa5X\x95\xb9w\x80\b \xc5W\x12\x8d\xa9,\\\xf2\xfcN.\x81\x8d\xc0u\x8a\x13_U<\xc2\xb3\x8cXO\x8d\xdc\x94\x01V\xbb\xd7Kk\x1f\x8b\x9cU\x01\xfe\xfe" 400 379
89.176.50.144 - - [07/Jan/2008:09:10:24 +0530] "?\xc24\x85\xf3\xb6@\xa2n\xcc\xb3=\xb0" 200 -
70.71.239.121 - - [07/Jan/2008:09:10:24 +0530] "\x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83" 400 226
201.80.105.46 - - [07/Jan/2008:09:10:05 +0530] "\xebZoq\x15\x18\x18\x04B\xdfd\x84@\xc5;\x87\x86\xdc\x95\xa7\x0c?\xa0E<\xa7\xf7\x87\xff\xbb$\xf78Zc.\x8e\x11\xac" 400 226
71.181.173.208 - - [07/Jan/2008:09:10:26 +0530] "%J\x9d\xbf\xfc\x9dh" 200 -
89.176.92.235 - - [07/Jan/2008:09:10:27 +0530] "L\xe8\xe5" 200 -
71.206.33.202 - - [07/Jan/2008:09:10:24 +0530] "\xbd^^\xa8G\x1a\x1a\x9d\x12g6\xb5\x83\v\xea:\xccl\xde\xad\xce\xd1P\xc7\x7f\x9c}4N\xc9\v#\x1cw\xb2U\xf8\xfd\x87\xdfP\xb3w?\x17v\x1aVf" 400 226
68.51.202.178 - - [07/Jan/2008:09:10:35 +0530] "\x13BitTorrent protocol" 400 226
99.233.85.122 - - [07/Jan/2008:09:10:31 +0530] "\x10\xae\x90\xba,k\xc4\x86\xb3\xab\x9d.\xbe\x9f\xf7=\xacI\xbc\xbar\xa2\xaaQ;K\xce0\xac\xe5y@\xd7\xc8\x92et\xa0\\\x92\x04\x84/\x9c9\xf6\x9f:\xe8\x16Re\x9d\xbf.'TO\xa1\x9au\x0eX\x04\xf8\xcd\x1d\xc05\xd0\xed\x17Ba1*\xa4Q\x1d\xdb\rY\xc5\xad\x99\xe7P\xcd(\xc4?\xcfR\\\xf1\xb7LWbJx\x0e\xe0\x13O\x93j\xc9\x14\xe4\xfa@A]\xd8\\\xf5sQ\xc5c{F\xce\rf\\\x0c]$\x91\xebrJ\x87\x12\xb5\x03+\xd4dU|\x1eY\xab{\x13WaL\xfb0\x8a\xe4&\xd4\x8d\xb3\xdc5\x86*\xbct'\xb4d)\xbe\x1c\xea\x98n\x92\x97~\xbb\xce\x1bF\x1f*\xd4\xee\xb6\xc2`)\x14\xcf\x86\xc6\xade\xc4i\xb0\xde\xefZ\xb7>\xb7'\x8e\xac\xb5yL\x9f\xa6~\x1eu\x0f\xe4\x17:\xb7\x03\t(\x97\xeb\xed\x19X4" 400 226
220.233.108.97 - - [07/Jan/2008:09:10:25 +0530] "\x02\x7f\xf3\xf9\xc7_\xd3\xd0\xb6\xd8\xbeI\xc7W\xb89\x06\xfe\xda\xd7~rgJ\xe5\xe2Sr\xfd\xae\xaf5\xe0\x1a\xdc\xc9\x95\xdc\x80y\x9c,\x86g$\xc2g\xb7d!v\x91!d\x99\x9f\x04\xcav\x14[/P\xe6a\x92\x98\xc9\x8a\xb0\xb0\x87\x12_\x0e\xa0\x1a\xf7\"S\x9f\xb7\vt\x0egg\xd3\x8b\xc3)\xbc\xd6h\xc5ur\xc0Fl\xb7b\xe3\x1cN![\x15\x14$\xd8\x8bDv\xa9\x99$\xa6c\x0c\xbaN\xfa\x89\x0fp\xeeS\xb2\x07\x91\x1fO\xfa\xe2\xd7\xe0\xf6$\xb9\x81\xf9\xa4\xe5\xa3?\x84\xc4sD\x9f\x0c\x1b\xdaF]\x1b\xcbR\xfa\xfei=\x94\xa0[\x85<\x9fL\xdcgQe\xe9\xabV\xe4@U}\x88q\xd3\xe5\xf2\xbc2\xed%\xddf\xdf\xa5\xf2\xf8w\x86\x96;ma\x9fS4\xb76\x8c\xb4o\xb75\xee\xb4d*\x0f\x87j\x9b\x06\xb2\x97;+N\x9d\xac\xea" 400 226
124.185.181.193 - - [07/Jan/2008:09:10:50 +0530] "L\x87\xb8\x84\v]N" 400 226
71.193.165.213 - - [07/Jan/2008:09:10:50 +0530] "\xcb\xdf\x13(\x8a\x12\xa9>\xd8\xb74\xda\x9b\xb1\xb0T!R\x19" 200 -
85.144.180.58 - - [07/Jan/2008:09:11:00 +0530] "\x80\xbd\xb7\x8a\xc4\x1a\xd2\xb1\xbd\xf4\xf7o\xdd" 200 -
203.87.210.166 - - [07/Jan/2008:09:11:05 +0530] "\xea\x9a\x97\xc9*\x10\x06w\x98\x17\xc9G\xee\xc8\x89j\r!\xb5V\xe0\x01^\xd3\xa8\x1a*\xfe\x11\xec\x95b\x9e\xda\x1f\xdb\x05\xc8\xd4\xfb\xf0\xeb*\x93}\xc2S\x1b^'\xcb3" 400 226
207.255.238.209 - - [07/Jan/2008:09:11:08 +0530] "j\xbd\xc2';\x1d g\xbf\xa3\xf0s\xd9\x1aqj=t\xb2mV\xf0!\xb3\x01\xddU^\xa5Z\xb3\xf1\x85\x9bJx\\EQHoGI\xa7\xd8\xec\xe3\xc1Dv{\x9d\xac\x8ei\xda\xdc]\xc3" 400 226
216.146.161.174 - - [07/Jan/2008:09:11:13 +0530] "\x13BitTorrent protocol" 400 226
58.172.80.119 - - [07/Jan/2008:09:11:14 +0530] "\t\x0f\xb8l\x90\x84p\\\xbf\xdd\x97\x82\r\x7f\x15\xdc\xb5\xc9\xf3\xde\x10@\xe7\x18\xca\x8a\x90j\xfe\xa3 \xda+\xd9\x19s\x05u=)K@\xda\xf0Z]\xf2\r#\xf5\x13\"\xd7\xea\x1a\xc3\x06u\x10\xaf\xff\x81\xdf$\xdd\xbf\xf7/w\x96\xe9\xf6\x05\xd4\x1d\r=\x17,\xdd\x99\x1f\xca\\G%\x9eTC\x85\xfaPM\x98S\x91\x0e kQ\xb8\xb5\xe5a\xba\x96\xb9\bh\x86\xd4T\xf6\xc3H\xa0\xa3\xcb\xf2R\xad\"\x0e1\x9f\xe3\xefW\x13+9\xc6\xbf\xa7\xf8\xf0$\xae\x13\xc4\x03\x0eQ\xb2\xdb\v(\x86}\x1eW\x04\xca1\x95%p\xdf\xf9\x19j\xf3+\xdf\xaa\xfc\xbe)\xf3\xe9\x928\x0f\x7f\x8eVp\r!n" 400 226
70.71.239.121 - - [07/Jan/2008:09:11:23 +0530] "\x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83" 400 226
89.176.50.144 - - [07/Jan/2008:09:11:23 +0530] "?\xc24\x85\xf3\xb6@\xa2n\xcc\xb3=\xb0" 200 -
84.95.127.135 - - [07/Jan/2008:09:11:04 +0530] "\x8c\xceqqT(\xbf?\xd07\x03\x86:\xce\xcej\xee\x98\x95F\xd5\xb4\xb9\x16\xcc[C%f\x9a\xe0\xe36,t5\xb2\x1dD\xf4e\x12{\v<\xd11\xc6G\x96\x15\xech%\xb7:i\xba\v\xa4\xc1\x97\xf4\xce!hM9z\xecx\x1c\xd8\xae\xf0\x04\xc5K\xab\xa8" 400 226
71.181.173.208 - - [07/Jan/2008:09:11:26 +0530] "%J\x9d\xbf\xfc\x9dh" 200 -
99.233.141.118 - - [07/Jan/2008:09:11:27 +0530] "\x9aC\xe2\xdc\x18\xa4G\xdf\xec5\xf9\xbb\xd7\xab\xec$\xc0\xc3\xc6\xeeS\xcc*\x06\xf2\xa1\x97\\\x07\xc1\x19\b\xf4\x95\xe8" 200 -
71.206.33.202 - - [07/Jan/2008:09:11:25 +0530] "\xbd^^\xa8G\x1a\x1a\x9d\x12g6\xb5\x83\v\xea:\xccl\xde\xad\xce\xd1P\xc7\x7f\x9c}4N\xc9\v#\x1cw\xb2U\xf8\xfd\x87\xdfP\xb3w?\x17v\x1aVf" 400 226
99.242.59.94 - - [07/Jan/2008:09:11:40 +0530] "K\x82\x03\x14\xb6\x0f#\xc0\\\xb8\x117\x1b\xd7\x0c\xe2\x89\xf1\x1bzX\x83\x0f" 400 226
124.185.181.193 - - [07/Jan/2008:09:11:50 +0530] "L\x87\xb8\x84\v]N" 400 226
71.193.165.213 - - [07/Jan/2008:09:11:51 +0530] "\xcb\xdf\x13(\x8a\x12\xa9>\xd8\xb74\xda\x9b\xb1\xb0T!R\x19" 200 -
89.176.92.235 - - [07/Jan/2008:09:12:03 +0530] "U\xf6<\xbdE6\xc6\x99\x1b\x02,\xc7\xdd\xa3\xf8'\xbd\xc8\xfba\x0e\xbd\xfe\xf9@\xec\xa8\x1e\xfb\xb3\xc1\xb4Y\xd2\x1b\x89\x0e\xa6n\x0e\x8f\xb3\xfa\xc3\xeez;" 200 -
85.144.180.58 - - [07/Jan/2008:09:12:19 +0530] "\x80\xbd\xb7\x8a\xc4\x1a\xd2\xb1\xbd\xf4\xf7o\xdd" 200 -Code: Select all
[Mon Jan 07 08:57:24 2008] [error] [client 59.167.108.131] request failed: error reading the headers
[Mon Jan 07 09:04:18 2008] [error] [client 59.167.108.131] request failed: error reading the headers
[Mon Jan 07 09:10:03 2008] [error] [client 68.149.182.249] request failed: error reading the headers
[Mon Jan 07 09:10:07 2008] [error] [client 193.77.76.197] Invalid URI in request \x13BitTorrent protocol
[Mon Jan 07 09:10:20 2008] [error] [client 24.4.248.49] request failed: error reading the headers
[Mon Jan 07 09:10:24 2008] [error] [client 70.71.239.121] Invalid URI in request \x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83
[Mon Jan 07 09:10:25 2008] [error] [client 201.80.105.46] request failed: error reading the headers
[Mon Jan 07 09:10:31 2008] [error] [client 71.206.33.202] request failed: error reading the headers
[Mon Jan 07 09:10:35 2008] [error] [client 68.51.202.178] Invalid URI in request \x13BitTorrent protocol
[Mon Jan 07 09:10:38 2008] [warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.
[Mon Jan 07 09:10:38 2008] [error] [client 99.233.85.122] request failed: error reading the headers
[Mon Jan 07 09:10:45 2008] [error] [client 220.233.108.97] request failed: error reading the headers
[Mon Jan 07 09:10:50 2008] [error] [client 124.185.181.193] Invalid URI in request L\x87\xb8\x84\v]N
[Mon Jan 07 09:10:55 2008] [warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.
[Mon Jan 07 09:11:05 2008] [error] [client 203.87.210.166] Invalid URI in request \xea\x9a\x97\xc9*\x10\x06w\x98\x17\xc9G\xee\xc8\x89j\r!\xb5V\xe0\x01^\xd3\xa8\x1a*\xfe\x11\xec\x95b\x9e\xda\x1f\xdb\x05\xc8\xd4\xfb\xf0\xeb*\x93}\xc2S\x1b^'\xcb3
[Mon Jan 07 09:11:08 2008] [error] [client 207.255.238.209] Invalid URI in request j\xbd\xc2';\x1d g\xbf\xa3\xf0s\xd9\x1aqj=t\xb2mV\xf0!\xb3\x01\xddU^\xa5Z\xb3\xf1\x85\x9bJx\\EQHoGI\xa7\xd8\xec\xe3\xc1Dv{\x9d\xac\x8ei\xda\xdc]\xc3
[Mon Jan 07 09:11:13 2008] [error] [client 216.146.161.174] Invalid URI in request \x13BitTorrent protocol
[Mon Jan 07 09:11:22 2008] [error] [client 58.172.80.119] request failed: error reading the headers
[Mon Jan 07 09:11:23 2008] [error] [client 70.71.239.121] Invalid URI in request \x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83
[Mon Jan 07 09:11:24 2008] [error] [client 84.95.127.135] request failed: error reading the headers
[Mon Jan 07 09:11:32 2008] [error] [client 71.206.33.202] request failed: error reading the headers
[Mon Jan 07 09:11:40 2008] [error] [client 99.242.59.94] Invalid URI in request K\x82\x03\x14\xb6\x0f#\xc0\\\xb8\x117\x1b\xd7\x0c\xe2\x89\xf1\x1bzX\x83\x0f
[Mon Jan 07 09:11:50 2008] [error] [client 124.185.181.193] Invalid URI in request L\x87\xb8\x84\v]N
[Mon Jan 07 09:12:42 2008] [warn] (OS 121)The semaphore timeout period has expired. : winnt_accept: Asynchronous AcceptEx failed.Re: Is my ISP injecting JS line ?
Just caught this topic when looking up on google issues with 222360.com as I get my virus alert on nearly every page I view for this site as well as
<SCRIPT LANGUAGE="javascript1.2" SRC="http://g.asdafdgfgf.com/ads.js"></SCRIPT>
Pretty much the same issue as is being reported here. I am in England, London using Virgin Broadband as my ISP so it seems odd if it's the ISP to be in both India and UK.
Has anyone come up with anything new on how to track this?
Hijackthis is showing up nothing.
Richard
<SCRIPT LANGUAGE="javascript1.2" SRC="http://g.asdafdgfgf.com/ads.js"></SCRIPT>
Pretty much the same issue as is being reported here. I am in England, London using Virgin Broadband as my ISP so it seems odd if it's the ISP to be in both India and UK.
Has anyone come up with anything new on how to track this?
Hijackthis is showing up nothing.
Richard
Re: Is my ISP injecting JS line ?
Some more information on this. First we have two computers on my home network on wireless - it is only happening on my computer which is a little strange if it is coming from the ISP. Secondly when I put my browser through a proxy server it does not appear - though I did put it through a secure connection to the proxy server so it may be the secure connection that is stopping it rather than just it being through a proxy server. I'll try direct unsecured connection to my proxy server.
Re: Is my ISP injecting JS line ?
How strange - it seems to have just stopped doing it and cleaned itself but I am not sure what stopped it. Kaspersky virus did alert me to something attempting to write to my registry which I denied and created a rule to deny and this might have been it. The other thing I did that it has not occured since was to connect via a proxy server - this time non-secure. When I flicked back to non-proxy mode the injected script was no longer happening. Very weird!!!
Anyway I'm glad it's disappeared and I hope some of what I said is of some use.
Anyway I'm glad it's disappeared and I hope some of what I said is of some use.
Re: Is my ISP injecting JS line ?
Hey Merge9, I'm on Virgin in the UK, and I have never had an issue like this. If yours was ISP based, then it's a bit selective
Re: Is my ISP injecting JS line ?
The problem is back so it did not dissappear for long. It does still get injected even when I go through a non secure proxy so it looks like it is some malware on my machine that is not showing up highjackthis.
Looks like there is no solution for it at present so for now I have just switched off my virus software (Kaspersky) warnings every time it blocks the script so I can live with it.
If anyone gets to the bottom of this please post.
Looks like there is no solution for it at present so for now I have just switched off my virus software (Kaspersky) warnings every time it blocks the script so I can live with it.
If anyone gets to the bottom of this please post.
Re: Is my ISP injecting JS line ?
This bit of JS has nothing to do with Virgin.
The domain is registered to some chinese bloke. The email used was etpreseller@gmail.com. Some research on this in google leads to alot of crap about him, like here:
http://db.aa419.org/fakebanksview.php?key=21890
He has many different domains registered, all obscure number/letter combo's. It sounds very much like you have been infected with spyware/virus, either on your OS, or some other way.
The domain is registered to some chinese bloke. The email used was etpreseller@gmail.com. Some research on this in google leads to alot of crap about him, like here:
http://db.aa419.org/fakebanksview.php?key=21890
He has many different domains registered, all obscure number/letter combo's. It sounds very much like you have been infected with spyware/virus, either on your OS, or some other way.
Re: Is my ISP injecting JS line ?
I have just updated my Realplayer 11 Beta to the full version of Realplayer 11 and this 'seems' to have stopped the js being injected. I have viewed about 30 pages now and it is not being injected to any. Anyone else that has this were you using the beta of Real Player 11? Does not quite make sense though for the guy that reformatted his machine and still had problem!!
EDIT: Ignore that - it has reappeared again after about 100 page views.
EDIT: Ignore that - it has reappeared again after about 100 page views.