Is my ISP injecting JS line ?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Ok, just checking.

I think you need to escalate this issue to the next level at your ISP. It is crap that they are doing that to you (and goodness knows how many others).
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Something isn't right here.

From the information that has been provided it would seem that an Internet backbone is injecting it, which isn't probable.

Did you test this using an Ubuntu Live CD as I recommended? And why do you still have JavaScript enabled still when you know some of it is coming from untrusted sources?

I'm having a hard time buying your story. What does port injection have to do with this? What evidence do you have to support that port injection is indeed occurring? Do you think that is possible? Do you think that would work on every single http request made? What if you request an image, executable or binary? Is this js line limited to a specific mime type or is it injected into all responses from all servers with a specific header?
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I think you need to escalate this issue to the next level at your ISP. It is crap that they are doing that to you (and goodness knows how many others).
No use complaining to ISP if others arent complaining. Tech support at level is not possible.
From the information that has been provided it would seem that an Internet backbone is injecting it, which isn't probable.
Its true that its going to prove that - but after
formatting my primary hard-disk (second hard-disk just contains all my data)
re-installing XP SP2
didnt add any FF extensions (only AdBlock Plus a while later)
use only User group mode (never in admin unless for installation)
checked with php code by file_get_contents()

- and still occurring - I cant see how it be my PC is affected. And moreover - there are others mentioning this have same issues.
Did you test this using an Ubuntu Live CD as I recommended?
Download issues - based on a pattern of complaints, its possible that that script is giving a DoS attack, since most cant seem to download and a webpage takes forever to download (when this attack is active). Apart from the fact that Im on a 256kbps.
And why do you still have JavaScript enabled still when you know some of it is coming from untrusted sources?
This is going to take a while to resolve - I've already spent over 1 week on this thinking it was my PC that was infected somehow (inspite of CCleaner, Spybot S&D, AVG AV, HijackThis all reporting 100% clean). I got to get back to web-dev stuff which requires JS and AdBlock Plus extension is good enough to blockwhatever I want (JS, images, CSS, frames etc). Im obviously not using IE.
I'm having a hard time buying your story. What does port injection have to do with this?
Me too - but after reading the expert-exchange thread, I was pretty sure it wasnt PC related.
"port injection" in the sense - attacking a port by continous DoS thereby slowing down the internet. Nothing to do with the JS line injection - but it ALWAYS happens when the JS line injection starts.
What evidence do you have to support that port injection is indeed occurring? Do you think that is possible?
well .... Something is definitely going on.
Do you think that would work on every single http request made? What if you request an image, executable or binary?
Once the JS line injection is active, the connectivity becomes terribly slow for everything.
Is this js line limited to a specific mime type or is it injected into all responses from all servers with a specific header?
Only HTML, XHTML pages. It isnt getting inserted into RSS, or exe files.

Unfortunately most of the results on 222360.com are in chineese and the translation is not all that easy to read.
User avatar
Inkyskin
Forum Contributor
Posts: 282
Joined: Mon Nov 19, 2007 10:15 am
Location: UK

Post by Inkyskin »

Do you know anyone else who lives nearby who is on a different ISP? It might be worth taking your box to their place and trying it - it would rule out spyware etc or port injection depending on what results you got.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Post by Jonah Bron »

Is it possible for you to dialup on a different connection?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

PHPyoungster wrote:Is it possible for you to dialup on a different connection?
... or use a proxy...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

This should be easy: HTTPS should be clean as it is encrypted and signed. Can you surf to a site like that and see if the js persists?
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

This should be easy: HTTPS should be clean as it is encrypted and signed. Can you surf to a site like that and see if the js persists?
I dont think it get into https pages (not sure, its definitely not in google pages)
Btw, new crazy activity. I was checking out my Apache logs.

What on earth is this ? I dont have any bitTorrent s/w installed.
I have Flashget 1.90 which I havent run in more than a week since I've decided to use gnuWin32 wget instead.

And how is that some of these are returning 200 HTTP status codes ?
Example:

Code: Select all

71.181.173.208 - - [07/Jan/2008:09:10:26 +0530] "%J\x9d\xbf\xfc\x9dh" 200 -
Its impossible.

apache access.log :

Code: Select all

84.203.83.71 - - [07/Jan/2008:01:40:29 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:44:31 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:45:32 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:45:58 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:46:38 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:47:08 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
82.224.102.208 - - [07/Jan/2008:01:47:22 +0530] "\x02\xa3\xd3\x90\x9e*\xe6\xaf\xb2\x8f\x84\xde\xd2^x\xc3\x84\x9f\xde\x90*\xbf\x1fh\xdb\x9d\x12\xe1\xc1q\xac,\x91\x0e\xe1\xa5\xcb\xc6f]rxE" 200 -
84.203.83.71 - - [07/Jan/2008:01:48:13 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:48:52 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:50:10 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:51:00 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:51:33 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:51:56 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:53:30 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:56:30 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:58:36 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:01:59:09 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:01:12 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:03:33 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:04:25 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:05:06 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:05:45 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:06:34 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:07:33 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:08:34 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:10:38 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:11:11 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:12:39 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
84.203.83.71 - - [07/Jan/2008:02:13:27 +0530] "|\xebx\x88\xec\xbe\x15[\xefO([\xb1\xad%\x9c&f\xd9V\xc9\xde\xcd\xca\x85\x9e\x84\xef$\x9c\x9f!%CMC\x88\x9c9n\xcd\xf8^b\xec\x92\x0c\xa4x'[\x8dD\xd7\x01Pe|>\xb2\xc9\x1f\x02\xfb\x14\xdd\xf0\xda\xf3x\xb5C}\xed\xf1\x11" 400 226
59.167.108.131 - - [07/Jan/2008:08:57:17 +0530] "\xf3\x13G_\x13Z&-\xba\xa0\x12\xd7c:\x84\xec\xa7\x9dI!\x1fX\x0fV\xb1\x8e\x0eO\xf3kP\x0e\xa5\xcelI\xd9\xfd\xe6J\xb2Y\x03^6K\x05\x1dx\xb0\xfb7\xf8D\xb1\xb6F\x96\xce-|\x80A\xcc\"\xff\xe5\xb2\xadjK\x86\xf6^\x04\xcc\xde{5(/\x98*n]\xba/\x14\xef\xdf~S\x03]|\xb4\xad\x0e\xfa\\\xd6h.\x9b\x12y\xc4\x8d\x7fT\xb5\xb1\xb7\x83\xf2J\x86\xd4\x9ao),\xf3\xf7\xf7\x07},a\xf7\x1b2\x8b\xf8r\xc6\xac=\xfd\xc2\xbe\x93(a\xc3\x18J\xa6\x93\xbc\x8fA\x04\xa7\xb3\x96P\x9f6\x1f\xed\xbe\x15\x15\x8fW&\xdc\x1b\x15\x1b)L\xec\xf3`~\x94\xf8z\xe8\xd0\xf5/(\xbe\xfd\xaf\xb3\xda\x13\xe0\xc0\x89/\xe2\xba\x85X'E\x8d\x14\x8b\xc4\xf8\xd6\xcf!\t \xe1$X\x1a\x01a\xa4\xdd\xb3\xa7\x1cP\x81aM\xde/_\xd1\x9b\xc0!\xd6e\xfd9\xc3\x16\xc6[k\xb2\xab\xb4\x9d\xd6\x0ee\xc8\xf4\x04\xa4o\x13\x0e\x11$\x85\xb1\x0f\xf4\x8e\xb7}\xb3\x84\xa6\xd9_o5\x9by*\xbb\x9c\xf0%\x97,\r\xe0\xca\xadd\xdd\xa10\xcaB7H\xf0\x83|\xe9" 400 226
68.49.115.32 - - [07/Jan/2008:08:58:16 +0530] "\x17\xdc\xe7\xbd3\x18\xe1\x86\xba\x99\xc2L\x88\xd2g\xf6\xe9\x12\xb1>\xecU\x9b\xb8\x97\x03\xb4\xe6Z\xd6\x86\xcc\xfeW\xad\xdd\"\xfe2\x9d?'\xb0\x8f\xf9" 200 -
59.167.108.131 - - [07/Jan/2008:08:59:17 +0530] "\xf3\x13G_\x13Z&-\xba\xa0\x12\xd7c:\x84\xec\xa7\x9dI!\x1fX\x0fV\xb1\x8e\x0eO\xf3kP\x0e\xa5\xcelI\xd9\xfd\xe6J\xb2Y\x03^6K\x05\x1dx\xb0\xfb7\xf8D\xb1\xb6F\x96\xce-|\x80A\xcc\"\xff\xe5\xb2\xadjK\x86\xf6^\x04\xcc\xde{5(/\x98*n]\xba/\x14\xef\xdf~S\x03]|\xb4\"\xaf*'pV\x89\xaen\xc6\xcaw\xe4\xb6\xdb\x95\bpy[\xa6\x8e@zz\x9e}j\t\xc4\xe5\x0f\xfb%Gd$\x92\xd9\x81\x8c\\\x92\x8c;\x0cg%:\xfcv\xa5>\"\xef\x9c\xb7-\xecv\x11\xdf\x19\x16\xb0\x91\x93\x15\x81\xad\x96]\x12$\x9bt\xf7\x89\xe1\x87\xba4d/%\x84c\xb4nK\xe1p\xf7*\xda/\rF\x0c\xa2\xe27\xedUH\x0eR\x0c\xfa\x07\x8c\xec\xf6T\x7f\x11\xf5\"P\xd2\x87Y\xb7\xcb\xed\x98\x05\x92n,W" 400 226
99.233.141.118 - - [07/Jan/2008:09:09:36 +0530] "\x8a" 200 -
68.149.182.249 - - [07/Jan/2008:09:10:03 +0530] "\xc4\xea\xb0\xba\x1d\x93\xf8\xa3\x84\xcc&\xaf\xa0~\xd3\xdb\xdd$\x14\x8a\xb2\xda)|L%\x8d0\x97\xa4\xf1\x88fA\x8f\xc6\x94U.\x05R\xc0\xf5\xa6\xc0Z(\xe2.\xd0k*g\xc2~y\xd6\xfe\xc3R\xec!\xf5+M_\xd2GP\xc6\xa0[/\x8e/`oc\x1c\xe3KS&\x8c\xfau4\"3\x8amh\x97&Q\x07\xc7\v6\xc4T\xfb\x88\x1b\x1f\xb6\xe8\x9bH\x8f\xa5\xc9\xfb8\x9eg\x80w\xe6<1k\x8b\xa1\x1b\x84\xe9\xa4;\xc1\xcaR\xa4\xd2\x05\xc6\x12,db\x93\r\x01y" 400 297
193.77.76.197 - - [07/Jan/2008:09:10:07 +0530] "\x13BitTorrent protocol" 400 226
24.4.248.49 - - [07/Jan/2008:09:10:20 +0530] "\x9c\x04\x98\x91(\xf0\xdc\xda\xa8c_(\xae1C\\\xbd\xef7\xb8\x8c\x1b5\xb2\xc2sk\x9eQ\x99\x85\xdbd\x17k\r\x10\xe5(\xd8Zd\xd9\xfb\x87A\x84c\\\xa5X\x95\xb9w\x80\b \xc5W\x12\x8d\xa9,\\\xf2\xfcN.\x81\x8d\xc0u\x8a\x13_U<\xc2\xb3\x8cXO\x8d\xdc\x94\x01V\xbb\xd7Kk\x1f\x8b\x9cU\x01\xfe\xfe" 400 379
89.176.50.144 - - [07/Jan/2008:09:10:24 +0530] "?\xc24\x85\xf3\xb6@\xa2n\xcc\xb3=\xb0" 200 -
70.71.239.121 - - [07/Jan/2008:09:10:24 +0530] "\x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83" 400 226
201.80.105.46 - - [07/Jan/2008:09:10:05 +0530] "\xebZoq\x15\x18\x18\x04B\xdfd\x84@\xc5;\x87\x86\xdc\x95\xa7\x0c?\xa0E<\xa7\xf7\x87\xff\xbb$\xf78Zc.\x8e\x11\xac" 400 226
71.181.173.208 - - [07/Jan/2008:09:10:26 +0530] "%J\x9d\xbf\xfc\x9dh" 200 -
89.176.92.235 - - [07/Jan/2008:09:10:27 +0530] "L\xe8\xe5" 200 -
71.206.33.202 - - [07/Jan/2008:09:10:24 +0530] "\xbd^^\xa8G\x1a\x1a\x9d\x12g6\xb5\x83\v\xea:\xccl\xde\xad\xce\xd1P\xc7\x7f\x9c}4N\xc9\v#\x1cw\xb2U\xf8\xfd\x87\xdfP\xb3w?\x17v\x1aVf" 400 226
68.51.202.178 - - [07/Jan/2008:09:10:35 +0530] "\x13BitTorrent protocol" 400 226
99.233.85.122 - - [07/Jan/2008:09:10:31 +0530] "\x10\xae\x90\xba,k\xc4\x86\xb3\xab\x9d.\xbe\x9f\xf7=\xacI\xbc\xbar\xa2\xaaQ;K\xce0\xac\xe5y@\xd7\xc8\x92et\xa0\\\x92\x04\x84/\x9c9\xf6\x9f:\xe8\x16Re\x9d\xbf.'TO\xa1\x9au\x0eX\x04\xf8\xcd\x1d\xc05\xd0\xed\x17Ba1*\xa4Q\x1d\xdb\rY\xc5\xad\x99\xe7P\xcd(\xc4?\xcfR\\\xf1\xb7LWbJx\x0e\xe0\x13O\x93j\xc9\x14\xe4\xfa@A]\xd8\\\xf5sQ\xc5c{F\xce\rf\\\x0c]$\x91\xebrJ\x87\x12\xb5\x03+\xd4dU|\x1eY\xab{\x13WaL\xfb0\x8a\xe4&\xd4\x8d\xb3\xdc5\x86*\xbct'\xb4d)\xbe\x1c\xea\x98n\x92\x97~\xbb\xce\x1bF\x1f*\xd4\xee\xb6\xc2`)\x14\xcf\x86\xc6\xade\xc4i\xb0\xde\xefZ\xb7>\xb7'\x8e\xac\xb5yL\x9f\xa6~\x1eu\x0f\xe4\x17:\xb7\x03\t(\x97\xeb\xed\x19X4" 400 226
220.233.108.97 - - [07/Jan/2008:09:10:25 +0530] "\x02\x7f\xf3\xf9\xc7_\xd3\xd0\xb6\xd8\xbeI\xc7W\xb89\x06\xfe\xda\xd7~rgJ\xe5\xe2Sr\xfd\xae\xaf5\xe0\x1a\xdc\xc9\x95\xdc\x80y\x9c,\x86g$\xc2g\xb7d!v\x91!d\x99\x9f\x04\xcav\x14[/P\xe6a\x92\x98\xc9\x8a\xb0\xb0\x87\x12_\x0e\xa0\x1a\xf7\"S\x9f\xb7\vt\x0egg\xd3\x8b\xc3)\xbc\xd6h\xc5ur\xc0Fl\xb7b\xe3\x1cN![\x15\x14$\xd8\x8bDv\xa9\x99$\xa6c\x0c\xbaN\xfa\x89\x0fp\xeeS\xb2\x07\x91\x1fO\xfa\xe2\xd7\xe0\xf6$\xb9\x81\xf9\xa4\xe5\xa3?\x84\xc4sD\x9f\x0c\x1b\xdaF]\x1b\xcbR\xfa\xfei=\x94\xa0[\x85<\x9fL\xdcgQe\xe9\xabV\xe4@U}\x88q\xd3\xe5\xf2\xbc2\xed%\xddf\xdf\xa5\xf2\xf8w\x86\x96;ma\x9fS4\xb76\x8c\xb4o\xb75\xee\xb4d*\x0f\x87j\x9b\x06\xb2\x97;+N\x9d\xac\xea" 400 226
124.185.181.193 - - [07/Jan/2008:09:10:50 +0530] "L\x87\xb8\x84\v]N" 400 226
71.193.165.213 - - [07/Jan/2008:09:10:50 +0530] "\xcb\xdf\x13(\x8a\x12\xa9>\xd8\xb74\xda\x9b\xb1\xb0T!R\x19" 200 -
85.144.180.58 - - [07/Jan/2008:09:11:00 +0530] "\x80\xbd\xb7\x8a\xc4\x1a\xd2\xb1\xbd\xf4\xf7o\xdd" 200 -
203.87.210.166 - - [07/Jan/2008:09:11:05 +0530] "\xea\x9a\x97\xc9*\x10\x06w\x98\x17\xc9G\xee\xc8\x89j\r!\xb5V\xe0\x01^\xd3\xa8\x1a*\xfe\x11\xec\x95b\x9e\xda\x1f\xdb\x05\xc8\xd4\xfb\xf0\xeb*\x93}\xc2S\x1b^'\xcb3" 400 226
207.255.238.209 - - [07/Jan/2008:09:11:08 +0530] "j\xbd\xc2';\x1d g\xbf\xa3\xf0s\xd9\x1aqj=t\xb2mV\xf0!\xb3\x01\xddU^\xa5Z\xb3\xf1\x85\x9bJx\\EQHoGI\xa7\xd8\xec\xe3\xc1Dv{\x9d\xac\x8ei\xda\xdc]\xc3" 400 226
216.146.161.174 - - [07/Jan/2008:09:11:13 +0530] "\x13BitTorrent protocol" 400 226
58.172.80.119 - - [07/Jan/2008:09:11:14 +0530] "\t\x0f\xb8l\x90\x84p\\\xbf\xdd\x97\x82\r\x7f\x15\xdc\xb5\xc9\xf3\xde\x10@\xe7\x18\xca\x8a\x90j\xfe\xa3 \xda+\xd9\x19s\x05u=)K@\xda\xf0Z]\xf2\r#\xf5\x13\"\xd7\xea\x1a\xc3\x06u\x10\xaf\xff\x81\xdf$\xdd\xbf\xf7/w\x96\xe9\xf6\x05\xd4\x1d\r=\x17,\xdd\x99\x1f\xca\\G%\x9eTC\x85\xfaPM\x98S\x91\x0e kQ\xb8\xb5\xe5a\xba\x96\xb9\bh\x86\xd4T\xf6\xc3H\xa0\xa3\xcb\xf2R\xad\"\x0e1\x9f\xe3\xefW\x13+9\xc6\xbf\xa7\xf8\xf0$\xae\x13\xc4\x03\x0eQ\xb2\xdb\v(\x86}\x1eW\x04\xca1\x95%p\xdf\xf9\x19j\xf3+\xdf\xaa\xfc\xbe)\xf3\xe9\x928\x0f\x7f\x8eVp\r!n" 400 226
70.71.239.121 - - [07/Jan/2008:09:11:23 +0530] "\x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83" 400 226
89.176.50.144 - - [07/Jan/2008:09:11:23 +0530] "?\xc24\x85\xf3\xb6@\xa2n\xcc\xb3=\xb0" 200 -
84.95.127.135 - - [07/Jan/2008:09:11:04 +0530] "\x8c\xceqqT(\xbf?\xd07\x03\x86:\xce\xcej\xee\x98\x95F\xd5\xb4\xb9\x16\xcc[C%f\x9a\xe0\xe36,t5\xb2\x1dD\xf4e\x12{\v<\xd11\xc6G\x96\x15\xech%\xb7:i\xba\v\xa4\xc1\x97\xf4\xce!hM9z\xecx\x1c\xd8\xae\xf0\x04\xc5K\xab\xa8" 400 226
71.181.173.208 - - [07/Jan/2008:09:11:26 +0530] "%J\x9d\xbf\xfc\x9dh" 200 -
99.233.141.118 - - [07/Jan/2008:09:11:27 +0530] "\x9aC\xe2\xdc\x18\xa4G\xdf\xec5\xf9\xbb\xd7\xab\xec$\xc0\xc3\xc6\xeeS\xcc*\x06\xf2\xa1\x97\\\x07\xc1\x19\b\xf4\x95\xe8" 200 -
71.206.33.202 - - [07/Jan/2008:09:11:25 +0530] "\xbd^^\xa8G\x1a\x1a\x9d\x12g6\xb5\x83\v\xea:\xccl\xde\xad\xce\xd1P\xc7\x7f\x9c}4N\xc9\v#\x1cw\xb2U\xf8\xfd\x87\xdfP\xb3w?\x17v\x1aVf" 400 226
99.242.59.94 - - [07/Jan/2008:09:11:40 +0530] "K\x82\x03\x14\xb6\x0f#\xc0\\\xb8\x117\x1b\xd7\x0c\xe2\x89\xf1\x1bzX\x83\x0f" 400 226
124.185.181.193 - - [07/Jan/2008:09:11:50 +0530] "L\x87\xb8\x84\v]N" 400 226
71.193.165.213 - - [07/Jan/2008:09:11:51 +0530] "\xcb\xdf\x13(\x8a\x12\xa9>\xd8\xb74\xda\x9b\xb1\xb0T!R\x19" 200 -
89.176.92.235 - - [07/Jan/2008:09:12:03 +0530] "U\xf6<\xbdE6\xc6\x99\x1b\x02,\xc7\xdd\xa3\xf8'\xbd\xc8\xfba\x0e\xbd\xfe\xf9@\xec\xa8\x1e\xfb\xb3\xc1\xb4Y\xd2\x1b\x89\x0e\xa6n\x0e\x8f\xb3\xfa\xc3\xeez;" 200 -
85.144.180.58 - - [07/Jan/2008:09:12:19 +0530] "\x80\xbd\xb7\x8a\xc4\x1a\xd2\xb1\xbd\xf4\xf7o\xdd" 200 -
apache error.log :

Code: Select all

[Mon Jan 07 08:57:24 2008] [error] [client 59.167.108.131] request failed: error reading the headers
[Mon Jan 07 09:04:18 2008] [error] [client 59.167.108.131] request failed: error reading the headers
[Mon Jan 07 09:10:03 2008] [error] [client 68.149.182.249] request failed: error reading the headers
[Mon Jan 07 09:10:07 2008] [error] [client 193.77.76.197] Invalid URI in request \x13BitTorrent protocol
[Mon Jan 07 09:10:20 2008] [error] [client 24.4.248.49] request failed: error reading the headers
[Mon Jan 07 09:10:24 2008] [error] [client 70.71.239.121] Invalid URI in request \x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83
[Mon Jan 07 09:10:25 2008] [error] [client 201.80.105.46] request failed: error reading the headers
[Mon Jan 07 09:10:31 2008] [error] [client 71.206.33.202] request failed: error reading the headers
[Mon Jan 07 09:10:35 2008] [error] [client 68.51.202.178] Invalid URI in request \x13BitTorrent protocol
[Mon Jan 07 09:10:38 2008] [warn] (OS 64)The specified network name is no longer available.  : winnt_accept: Asynchronous AcceptEx failed.
[Mon Jan 07 09:10:38 2008] [error] [client 99.233.85.122] request failed: error reading the headers
[Mon Jan 07 09:10:45 2008] [error] [client 220.233.108.97] request failed: error reading the headers
[Mon Jan 07 09:10:50 2008] [error] [client 124.185.181.193] Invalid URI in request L\x87\xb8\x84\v]N
[Mon Jan 07 09:10:55 2008] [warn] (OS 64)The specified network name is no longer available.  : winnt_accept: Asynchronous AcceptEx failed.
[Mon Jan 07 09:11:05 2008] [error] [client 203.87.210.166] Invalid URI in request \xea\x9a\x97\xc9*\x10\x06w\x98\x17\xc9G\xee\xc8\x89j\r!\xb5V\xe0\x01^\xd3\xa8\x1a*\xfe\x11\xec\x95b\x9e\xda\x1f\xdb\x05\xc8\xd4\xfb\xf0\xeb*\x93}\xc2S\x1b^'\xcb3
[Mon Jan 07 09:11:08 2008] [error] [client 207.255.238.209] Invalid URI in request j\xbd\xc2';\x1d g\xbf\xa3\xf0s\xd9\x1aqj=t\xb2mV\xf0!\xb3\x01\xddU^\xa5Z\xb3\xf1\x85\x9bJx\\EQHoGI\xa7\xd8\xec\xe3\xc1Dv{\x9d\xac\x8ei\xda\xdc]\xc3
[Mon Jan 07 09:11:13 2008] [error] [client 216.146.161.174] Invalid URI in request \x13BitTorrent protocol
[Mon Jan 07 09:11:22 2008] [error] [client 58.172.80.119] request failed: error reading the headers
[Mon Jan 07 09:11:23 2008] [error] [client 70.71.239.121] Invalid URI in request \x8dq\xde\xf0\xd5SE\xe7\xd5\xab\x10\x85\x8a\x19\xbd\xd5\xf0\xb3\xdb\x93*\xff}\xbd\xd8\xd8g\xeb\xf05DK\xf7N\xa1+\xd1\v\x83
[Mon Jan 07 09:11:24 2008] [error] [client 84.95.127.135] request failed: error reading the headers
[Mon Jan 07 09:11:32 2008] [error] [client 71.206.33.202] request failed: error reading the headers
[Mon Jan 07 09:11:40 2008] [error] [client 99.242.59.94] Invalid URI in request K\x82\x03\x14\xb6\x0f#\xc0\\\xb8\x117\x1b\xd7\x0c\xe2\x89\xf1\x1bzX\x83\x0f
[Mon Jan 07 09:11:50 2008] [error] [client 124.185.181.193] Invalid URI in request L\x87\xb8\x84\v]N
[Mon Jan 07 09:12:42 2008] [warn] (OS 121)The semaphore timeout period has expired.  : winnt_accept: Asynchronous AcceptEx failed.
Should I temporarily change my Apache port number from 80 ?
Merge9
Forum Newbie
Posts: 8
Joined: Sat Jan 12, 2008 6:37 pm

Re: Is my ISP injecting JS line ?

Post by Merge9 »

Just caught this topic when looking up on google issues with 222360.com as I get my virus alert on nearly every page I view for this site as well as
<SCRIPT LANGUAGE="javascript1.2" SRC="http://g.asdafdgfgf.com/ads.js"></SCRIPT>

Pretty much the same issue as is being reported here. I am in England, London using Virgin Broadband as my ISP so it seems odd if it's the ISP to be in both India and UK.

Has anyone come up with anything new on how to track this?

Hijackthis is showing up nothing.

Richard
Merge9
Forum Newbie
Posts: 8
Joined: Sat Jan 12, 2008 6:37 pm

Re: Is my ISP injecting JS line ?

Post by Merge9 »

Some more information on this. First we have two computers on my home network on wireless - it is only happening on my computer which is a little strange if it is coming from the ISP. Secondly when I put my browser through a proxy server it does not appear - though I did put it through a secure connection to the proxy server so it may be the secure connection that is stopping it rather than just it being through a proxy server. I'll try direct unsecured connection to my proxy server.
Merge9
Forum Newbie
Posts: 8
Joined: Sat Jan 12, 2008 6:37 pm

Re: Is my ISP injecting JS line ?

Post by Merge9 »

How strange - it seems to have just stopped doing it and cleaned itself but I am not sure what stopped it. Kaspersky virus did alert me to something attempting to write to my registry which I denied and created a rule to deny and this might have been it. The other thing I did that it has not occured since was to connect via a proxy server - this time non-secure. When I flicked back to non-proxy mode the injected script was no longer happening. Very weird!!!

Anyway I'm glad it's disappeared and I hope some of what I said is of some use.
User avatar
Inkyskin
Forum Contributor
Posts: 282
Joined: Mon Nov 19, 2007 10:15 am
Location: UK

Re: Is my ISP injecting JS line ?

Post by Inkyskin »

Hey Merge9, I'm on Virgin in the UK, and I have never had an issue like this. If yours was ISP based, then it's a bit selective
Merge9
Forum Newbie
Posts: 8
Joined: Sat Jan 12, 2008 6:37 pm

Re: Is my ISP injecting JS line ?

Post by Merge9 »

The problem is back so it did not dissappear for long. It does still get injected even when I go through a non secure proxy so it looks like it is some malware on my machine that is not showing up highjackthis.

Looks like there is no solution for it at present so for now I have just switched off my virus software (Kaspersky) warnings every time it blocks the script so I can live with it.

If anyone gets to the bottom of this please post.
User avatar
Inkyskin
Forum Contributor
Posts: 282
Joined: Mon Nov 19, 2007 10:15 am
Location: UK

Re: Is my ISP injecting JS line ?

Post by Inkyskin »

This bit of JS has nothing to do with Virgin.

The domain is registered to some chinese bloke. The email used was etpreseller@gmail.com. Some research on this in google leads to alot of crap about him, like here:

http://db.aa419.org/fakebanksview.php?key=21890

He has many different domains registered, all obscure number/letter combo's. It sounds very much like you have been infected with spyware/virus, either on your OS, or some other way.
Merge9
Forum Newbie
Posts: 8
Joined: Sat Jan 12, 2008 6:37 pm

Re: Is my ISP injecting JS line ?

Post by Merge9 »

I have just updated my Realplayer 11 Beta to the full version of Realplayer 11 and this 'seems' to have stopped the js being injected. I have viewed about 30 pages now and it is not being injected to any. Anyone else that has this were you using the beta of Real Player 11? Does not quite make sense though for the guy that reformatted his machine and still had problem!!

EDIT: Ignore that - it has reappeared again after about 100 page views.
Post Reply