Is my ISP injecting JS line ?
Moderator: General Moderators
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
Re: Is my ISP injecting JS line ?
it's a virus. format your hard drive. disconnect PC from the internet. install OS of your choice. install firewall and antivirus of your choice. connect to the internet. update firewall and antivirus before doing anything else. enjoy life.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is my ISP injecting JS line ?
Someone in this thread already did that and was still knackered.
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
Re: Is my ISP injecting JS line ?
I don't believe it the OP did it properly hence why I recommended it again. Surely we've all done tech support where the lady swears to hit have hit the start button only to finbd out later that her t.v. has a start button. 
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is my ISP injecting JS line ?
Hi guys,
I am located in India, and I have a strong networking and technical background over the past 10 years ..
My entire office is facing exactly the same problem, first the 222360.com JS injections and then the g.asdafdgfgf.com/ads.js injections.
Here are a few notes:
> I have been facing this problem since the past week
> It has absolutely nothing to do on the PC, client side .. it is being injected from outside our network. I have done a huge amount of research, used a lot of tools and a lot of computers to test this, and am pretty sure of this.
> Our ISP is VSNL (Tata Broadband), but in most cases its not a problem at the ISP, its a problem with the local unsecured networks (owned by the cable guys), these routers and hubs are being used by various ISP's such as VSNL (Tata Broadband), Sify, Pacenet etc.
> My immediate problem is being solved by blocking these 2 domains at my firewall, so atleast there are not requests being sent out to the site.
> I have contacted the local cable guys, as well as the ISP, and inspite of my repeated attempts, they refuse to believe that it is a virus problem. They keep on pushing that there is a problem with their routers, they keep on replacing hardware, and keep claiming that there is some machine broadcasting on their network.
> Most other sites is this regard are in chinese or russian. I have put in a lot of effort, by translating and understanding these ...
> If anybody finds any further info, please put it on this forum.
> If it is a very local issue (targetting a particular town in India) please let me know, and we can discuss our exact locations privately to close down on the source of the problem.
Regards
I am located in India, and I have a strong networking and technical background over the past 10 years ..
My entire office is facing exactly the same problem, first the 222360.com JS injections and then the g.asdafdgfgf.com/ads.js injections.
Here are a few notes:
> I have been facing this problem since the past week
> It has absolutely nothing to do on the PC, client side .. it is being injected from outside our network. I have done a huge amount of research, used a lot of tools and a lot of computers to test this, and am pretty sure of this.
> Our ISP is VSNL (Tata Broadband), but in most cases its not a problem at the ISP, its a problem with the local unsecured networks (owned by the cable guys), these routers and hubs are being used by various ISP's such as VSNL (Tata Broadband), Sify, Pacenet etc.
> My immediate problem is being solved by blocking these 2 domains at my firewall, so atleast there are not requests being sent out to the site.
> I have contacted the local cable guys, as well as the ISP, and inspite of my repeated attempts, they refuse to believe that it is a virus problem. They keep on pushing that there is a problem with their routers, they keep on replacing hardware, and keep claiming that there is some machine broadcasting on their network.
> Most other sites is this regard are in chinese or russian. I have put in a lot of effort, by translating and understanding these ...
> If anybody finds any further info, please put it on this forum.
> If it is a very local issue (targetting a particular town in India) please let me know, and we can discuss our exact locations privately to close down on the source of the problem.
Regards
Re: Is my ISP injecting JS line ?
Maybe this - http://www.webhostingtalk.com/showthread.php?t=651748 - is somehow related.
There are 10 types of people in this world, those who understand binary and those who don't
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is my ISP injecting JS line ?
This sounds like it is becoming a bigger problem that it started out as.
Re: Is my ISP injecting JS line ?
Sorry - left this thread for some days. This is obviously not a local problem to a town in India as I live in London on Virgin Broadband and have the same issue exactly as you describe. Still no solution to problem.
Re: Is my ISP injecting JS line ?
You have no clue how happy this makes me - for a while I was going nuts explaining to others its not from my PC even after a simple file_get_contents() example to point out that its not a browser-hijack or something.yochints wrote:My entire office is facing exactly the same problem, first the 222360.com JS injections and then the g.asdafdgfgf.com/ads.js injections.
3 weeks here !yochints wrote:I have been facing this problem since the past week
Any idea of the source ?yochints wrote:Our ISP is VSNL (Tata Broadband), but in most cases its not a problem at the ISP, its a problem with the local unsecured networks (owned by the cable guys)
How do get that done in Windows FireWall ?yochints wrote:My immediate problem is being solved by blocking these 2 domains at my firewall, so atleast there are not requests being sent out to the site
The only block I've done so far are adding entries in hosts file and using AdBlock extension for FireFox.
DITTO !!! Esp the 'replacing hardware' part - every time I call them, they say theres a hardware replacement going on(device udgaya).yochints wrote:I have contacted the local cable guys, as well as the ISP, and inspite of my repeated attempts, they refuse to believe that it is a virus problem. They keep on pushing that there is a problem with their routers, they keep on replacing hardware, and keep claiming that there is some machine broadcasting on their network.
The OP of this thread seems to have similar intentions. No update on status though.yochints wrote:If it is a very local issue (targetting a particular town in India) please let me know, and we can discuss our exact locations privately to close down on the source of the problem.
It seems to have hit China & Russia first, then India and you're probably the first to voice from Europe.Merge9 wrote:Sorry - left this thread for some days. This is obviously not a local problem to a town in India as I live in London on Virgin Broadband and have the same issue exactly as you describe. Still no solution to problem.
-
chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 2:54 am
Re: Is my ISP injecting JS line ?
Hey anjanesh i have been following your posts in many of the forums other than this......actually my network is also facing the same problem past 2 weeks........firstly let me tell you few details ........i stay at Andheri, Mumbai.........and im a part of a local area network hosted by a local cable operator........and we have many ISPs on our network like vibes online, sify , interface ,etc........now the whole issue started around 2nd Jan,2008 with vibes users complaining about several disconnections of their internet connection whenever they start surfing any site..........earlier the cable guy found out that sum1 was clogging the local gateway ip of that ip range.......10.68.21.xxx and 10.58.21.xxx with gateway 10.68.21.1 and 10.58.21.1 resp.......now he introduced cisco switches inside our network thus virtually dividing our whole LAN into several sublans.........but the issue didnt get solved........then he transferred the affected vibes customer to interface ip range and gave them the interface ISP..........which i use..........the day these ppl got transferred to my ip range 172.25.3.xxx with gateway 172.25.0.1........... all the users in this ip range with interface ISP are now facing the same problem........our net disconnects randomly and my norton shows me this alert.......
HTTP ANI File Anih Hdr Size BO.
k.222360.com(222.216.28.25)(http(80))
And the funny part is vibes customers are having absolutely no problem from the day these ppl got shifted to my ip range.....
ME and our cable operator had no clue that its such a big problem only after reading your blogs.......we thght that sum1 frm our network is tryin to clog the gateway and thus causing problems to other users..........now frm your investigation we have come to knw abt the real problem..........but sum strange things i have observed during these dayz......
1. The net never disconnects at nite... arnd after 10pm till early in the morning arnd 8 or 9am when usually offices start...i got many office networks inside my local area network.
2. Whenever net disconnects i ping to my gateway 172.25.0.1 and i get request timed out but thn at the same time if i ping to sum1 else on my network eg : 172.25.3.120 or 172.25.3.39 (rather they r dead or alive)
my ping to gateway 172.25.0.1 immediately starts responding and the net starts working as normal........again if it gets disconnected i do the same procedure.......
3. I have observed tht whenever my net gets connected the first site i get redirected to is http://g.asdafdgfgf.com/ads.js which u all r talking abt....
So keeping in mind all the above observation i think this problem is caused by
1. Intrusion frm an external body like the internet thru ISP ofcourse
2. Intrusion frm local network ... that is frm the PCs in my network which dont have proper antivirus and in which tht javascript is residing and continuously addressing the gateway 172.25.0.1 which we all share in our ip range......so the point is due such few infected PCs which i found are OFF during night time( when net works perfectly fine).......our gateway is getting clogged and thus ppl like me (thou with norton and nod32) are facing this problem even after blocking the intrusion attempt..........
i have discussed this issue with the cable guy and he has asked the interface ISP ppl to block this ip 222.216.28.25
on their DNS server firewall......
one more thing all the attacks mentioned by you and faced by my network are originating from this ip 222.216.28.25
which is changing names to k.222360.com or v.222360.com or http://g.asdafdgfgf.com/ads.js
all are showing the same ip addr
so lets c if the ip is blocked at the DNS itself the external attack will b stopped...........
but wat remains is the internal attack which still is cloggin the gateway .........to solve this we have asked all the users in my ip range to install Nod32 or Norton to secure there PCs so tht it doesnt allow such scripts to run on their PCs and congest the gateway...........
Im awaiting the reply of the Interface ISP tech dept and also the installation of the anti virus on all the network PCs......this work should be done by 19th Jan.........after tht lets c if we face the same problem or not......
till then i have found out an effective way of using net by pinging to any random ip on my network as soon as i get request timed out on my gateway ip.......and trust me its working perfectly fine but only till next attack occurs ~!
U have mentioned tht u r also frm mumbai........so let me knw ur contact no. or email me at chillpill_rohit@yahoo.co.in
together we can n we will find out a way to tackle this nuisance.........awaiting ur reply asap
Regards.
Rohit Jain
(affected user)
HTTP ANI File Anih Hdr Size BO.
k.222360.com(222.216.28.25)(http(80))
And the funny part is vibes customers are having absolutely no problem from the day these ppl got shifted to my ip range.....
ME and our cable operator had no clue that its such a big problem only after reading your blogs.......we thght that sum1 frm our network is tryin to clog the gateway and thus causing problems to other users..........now frm your investigation we have come to knw abt the real problem..........but sum strange things i have observed during these dayz......
1. The net never disconnects at nite... arnd after 10pm till early in the morning arnd 8 or 9am when usually offices start...i got many office networks inside my local area network.
2. Whenever net disconnects i ping to my gateway 172.25.0.1 and i get request timed out but thn at the same time if i ping to sum1 else on my network eg : 172.25.3.120 or 172.25.3.39 (rather they r dead or alive)
my ping to gateway 172.25.0.1 immediately starts responding and the net starts working as normal........again if it gets disconnected i do the same procedure.......
3. I have observed tht whenever my net gets connected the first site i get redirected to is http://g.asdafdgfgf.com/ads.js which u all r talking abt....
So keeping in mind all the above observation i think this problem is caused by
1. Intrusion frm an external body like the internet thru ISP ofcourse
2. Intrusion frm local network ... that is frm the PCs in my network which dont have proper antivirus and in which tht javascript is residing and continuously addressing the gateway 172.25.0.1 which we all share in our ip range......so the point is due such few infected PCs which i found are OFF during night time( when net works perfectly fine).......our gateway is getting clogged and thus ppl like me (thou with norton and nod32) are facing this problem even after blocking the intrusion attempt..........
i have discussed this issue with the cable guy and he has asked the interface ISP ppl to block this ip 222.216.28.25
on their DNS server firewall......
one more thing all the attacks mentioned by you and faced by my network are originating from this ip 222.216.28.25
which is changing names to k.222360.com or v.222360.com or http://g.asdafdgfgf.com/ads.js
all are showing the same ip addr
so lets c if the ip is blocked at the DNS itself the external attack will b stopped...........
but wat remains is the internal attack which still is cloggin the gateway .........to solve this we have asked all the users in my ip range to install Nod32 or Norton to secure there PCs so tht it doesnt allow such scripts to run on their PCs and congest the gateway...........
Im awaiting the reply of the Interface ISP tech dept and also the installation of the anti virus on all the network PCs......this work should be done by 19th Jan.........after tht lets c if we face the same problem or not......
till then i have found out an effective way of using net by pinging to any random ip on my network as soon as i get request timed out on my gateway ip.......and trust me its working perfectly fine but only till next attack occurs ~!
U have mentioned tht u r also frm mumbai........so let me knw ur contact no. or email me at chillpill_rohit@yahoo.co.in
together we can n we will find out a way to tackle this nuisance.........awaiting ur reply asap
Regards.
Rohit Jain
(affected user)
Last edited by chillpill_rohit on Thu Jan 17, 2008 3:24 pm, edited 2 times in total.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is my ISP injecting JS line ?
Dude, this is getting bigger and bigger by the day. How can an ISP not protect their equipment enough to allow something like this to happen?
@chillpill_rohit, for the sake of all of us around here, please do not use AOL speak in your posts. It is against our rules. I understand your English may not be the best and we are OK with that. But it makes it that much more difficult for others to read what you wrote. Thanks.
Everah
Forum Admin
@chillpill_rohit, for the sake of all of us around here, please do not use AOL speak in your posts. It is against our rules. I understand your English may not be the best and we are OK with that. But it makes it that much more difficult for others to read what you wrote. Thanks.
Everah
Forum Admin
-
chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 2:54 am
Re: Is my ISP injecting JS line ?
@Everah
for the sake of all of us around here, please do not use AOL speak in your posts. It is against our rules. I understand your English may not be the best and we are OK with that. But it makes it that much more difficult for others to read what you wrote. Thanks.
LOL !
Arrey dude.........we all mumbaiites speak this type of english only man.........and nothing is wrong with our english dude.......we are following British English only but with local slangs......and we have got very much used to it now.......i was newayz addressing to anjanesh who is another mumbaiite so i think my message to him is straight and clear ......but i get your point also.....so from next time onwards i will try and post in proper dictionary English
Trouble caused to u and many others is regretted !
JAI HIND
JAI MAHARASTRA
for the sake of all of us around here, please do not use AOL speak in your posts. It is against our rules. I understand your English may not be the best and we are OK with that. But it makes it that much more difficult for others to read what you wrote. Thanks.
LOL !
Arrey dude.........we all mumbaiites speak this type of english only man.........and nothing is wrong with our english dude.......we are following British English only but with local slangs......and we have got very much used to it now.......i was newayz addressing to anjanesh who is another mumbaiite so i think my message to him is straight and clear ......but i get your point also.....so from next time onwards i will try and post in proper dictionary English
Trouble caused to u and many others is regretted !
JAI HIND
JAI MAHARASTRA
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is my ISP injecting JS line ?
It is no trouble, just not everyone knows that newayz really means anyways. Thanks. And I hope our community can help you in some way.
-
chillpill_rohit
- Forum Newbie
- Posts: 15
- Joined: Thu Jan 17, 2008 2:54 am
Re: Is my ISP injecting JS line ?
Yes dude......its surely helping me and my network getting our issue addressed and finding a solution to it..... i got to many other forums where anjanesh has posted his problem but there i was unable to post ......those sites needed some stupid premium membership ...... this forum instead made my job easier ......im hoping to get this problem solved by this week itself......because my cable operator has started losing his clients and people are blaming him for no reason......so lets see if we can come to some solid solution to this problem.
P.S. : i took all the pains to get the words in correct English but still if i have included a few slangs forgive me.....cant help it .... SMS and online chats are real language spoilers ~!
P.S. : i took all the pains to get the words in correct English but still if i have included a few slangs forgive me.....cant help it .... SMS and online chats are real language spoilers ~!
Last edited by chillpill_rohit on Thu Jan 17, 2008 3:59 pm, edited 1 time in total.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Is my ISP injecting JS line ?
Its all good. I really hope everyone that is going through this mess will be able to get it fixed soon. It sucks that anyone has to go through this.