-
Amazon Deals - ToS - Warp
BSNL is inserting ads in websites, sending their users to malware sites through malware code injection
- Thread starter CRACING
- Start date
- Replies 645
- Views 196,638
Another script: http:[]//decademical[dot]com/rztmZfL5gx92TNclo/6921
Took me to: http:[]//free.internetspeedtracker[dot]com/index.jhtml?partner=^BBQ^xpu514&s1=21997&s2=02A8C8E0-F7F8-11E8-A0C7-D1B15DED89C0
The method was the same. A span tag was injected into the body. Inside the span tag this script.
Took me to: http:[]//free.internetspeedtracker[dot]com/index.jhtml?partner=^BBQ^xpu514&s1=21997&s2=02A8C8E0-F7F8-11E8-A0C7-D1B15DED89C0
The method was the same. A span tag was injected into the body. Inside the span tag this script.
Last edited:
pothi
@127.0.0.1
rajujayaraman
Newbie
Hi, admin, do you think that it is actual flipkart site. No , i do not think. When you just open filpkart, it shows different set of pages. i once checked. Will check.
Router control is the best , than hosts file.
The futility of the MVP hosts is a pointer in the case.
Did you check the link, i gave for mvphost file.
It is not usual Host file, but mvphost file, which is including suspicious sites one by one from reporting users.
I think it goes to more thousands sites as the day increases and they are updating their data base in the hosts file.
So, If a site could be blocked, it is effective in router, as it stops access to the page for all the devices at once time.
But, i think that http hacking technique allows unscruplous people to plan these kind of suspicious attacks.
Every country is thus connected thro internet, but we are now reaping the other side benefits of the actual internet users.
World internet authority has to do something about it.
I see articles of how to hack http pages, when i search for block http help.
PG site may be a thing to try.
This redirect is experienced even if you change your server to public dns.
Google is not safe any more.
Edit: today http redirect
http://naganoadigei.com/imp/7257/?s...I6ISZu1SVTJCLiQnI60yMzADLionI6kzMzQDLismI6QTf
This is the worst site being used for redirection.
As i have filtered this site, it is not loading allowing me to copy this link. If i do not filter, then , it is millisecond that this will flash then loading suspicious and fake sites.
If filpkart is doing this , then it is a disservice and i would not buy a thing from this.
But to my surprise, amazon.com is the server owner of this site, any clue..
We are writing, but cert in says it is a different department'\'a ssue..
Router control is the best , than hosts file.
The futility of the MVP hosts is a pointer in the case.
Did you check the link, i gave for mvphost file.
It is not usual Host file, but mvphost file, which is including suspicious sites one by one from reporting users.
I think it goes to more thousands sites as the day increases and they are updating their data base in the hosts file.
So, If a site could be blocked, it is effective in router, as it stops access to the page for all the devices at once time.
But, i think that http hacking technique allows unscruplous people to plan these kind of suspicious attacks.
Every country is thus connected thro internet, but we are now reaping the other side benefits of the actual internet users.
World internet authority has to do something about it.
I see articles of how to hack http pages, when i search for block http help.
PG site may be a thing to try.
This redirect is experienced even if you change your server to public dns.
Google is not safe any more.
Edit: today http redirect
http://naganoadigei.com/imp/7257/?s...I6ISZu1SVTJCLiQnI60yMzADLionI6kzMzQDLismI6QTf
This is the worst site being used for redirection.
As i have filtered this site, it is not loading allowing me to copy this link. If i do not filter, then , it is millisecond that this will flash then loading suspicious and fake sites.
If filpkart is doing this , then it is a disservice and i would not buy a thing from this.
But to my surprise, amazon.com is the server owner of this site, any clue..
We are writing, but cert in says it is a different department'\'a ssue..
Last edited:
@rajujayaraman It was the real Flipkart site. I can confirm that. Like @pothi does I'm also running a DNS server locally behind a custom pfSense router.
It has nothing to do with DNS. DNS is just a registry in which you can search for domains. Also if DNS services like GoogleDNS, Cloudflare were compromised to return malware websites the change would be global. Not only we BSNL/MTNL users will face this issue, everyone will.
This malware is activated by a click. Because after 2015 chrome and other browsers stopped allowing web pages to execute some things like this without an initial user interaction. I've posted a Pastebin link above which contains the contents of that obfuscated code that runs to redirect and open those malware pages.
After referring to most of those web pages we can confirm that the ads are provided by a firm called "Mindspark interactive". Not sure whether they are running these campaigns for BSNL.
I've checked with LCOs and they all seem to be using Chinese non-branded or Chinese rebranded OLTs and ONUs. A strong doubt that I have is whether these ONUs or OLTs were compromised to inject those scripts in non-secure web pages.
An engineer from BSNL paid a visit to my home today and I've explained these things to him. He is as surprised as we're and said if BSNL is doing this then they are breaking their policy and he will check on this.
I'm wondering if BSNL is purposefully doing this why can't they admit?
It has nothing to do with DNS. DNS is just a registry in which you can search for domains. Also if DNS services like GoogleDNS, Cloudflare were compromised to return malware websites the change would be global. Not only we BSNL/MTNL users will face this issue, everyone will.
This malware is activated by a click. Because after 2015 chrome and other browsers stopped allowing web pages to execute some things like this without an initial user interaction. I've posted a Pastebin link above which contains the contents of that obfuscated code that runs to redirect and open those malware pages.
After referring to most of those web pages we can confirm that the ads are provided by a firm called "Mindspark interactive". Not sure whether they are running these campaigns for BSNL.
I've checked with LCOs and they all seem to be using Chinese non-branded or Chinese rebranded OLTs and ONUs. A strong doubt that I have is whether these ONUs or OLTs were compromised to inject those scripts in non-secure web pages.
An engineer from BSNL paid a visit to my home today and I've explained these things to him. He is as surprised as we're and said if BSNL is doing this then they are breaking their policy and he will check on this.
I'm wondering if BSNL is purposefully doing this why can't they admit?
rajujayaraman
Newbie
Hi, tracert command to naganoadigei.com and mutualvehemence.com
for script and code analyers to check
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>tracert www.naganoadigei.com
Unable to resolve target system name www.naganoadigei.com.
C:\Windows\system32>tracert google.com
Tracing route to google.com [172.217.163.174]
over a maximum of 30 hops:
1 2 ms 1 ms 2 ms 192.168.1.1
2 306 ms 318 ms 318 ms bsnl
3 290 ms 340 ms 378 ms static.ill.218.248.61.146/24.bsnl.in [218.248.61
.146]
4 345 ms * 323 ms bsnl1
5 306 ms * 143 ms bsnl
6 326 ms 320 ms 321 ms 72.14.205.109
7 342 ms 339 ms 339 ms 74.125.242.129
8 333 ms 339 ms 339 ms 209.85.248.181
9 341 ms 319 ms 340 ms maa05s05-in-f14.1e100.net [172.217.163.174]
Trace complete.
C:\Windows\system32>tracert naganoadigei.com
Tracing route to naganoadigei.com [188.42.140.100]
over a maximum of 30 hops:
1 2 ms 1 ms 2 ms 192.168.1.1
2 336 ms 318 ms 339 ms 117.193.208.1
3 337 ms 300 ms 284 ms static.ill.bsnl.bsnl.in bsnl
.122]
4 329 ms 319 ms * bsnl
5 * 327 ms * bsnl
6 333 ms 339 ms 338 ms 115.110.161.209
7 338 ms 338 ms 339 ms 172.31.167.45
8 351 ms 342 ms 341 ms 172.25.81.134
9 350 ms 360 ms 360 ms ix-ae-0-4.tcore1.mlv-mumbai.as6453.net [180.87.3
8.5]
10 456 ms 445 ms 505 ms if-ae-5-2.tcore1.wyn-marseille.as6453.net [80.23
1.217.29]
11 453 ms 466 ms 466 ms if-ae-8-1600.tcore1.pye-paris.as6453.net [80.231
.217.6]
12 451 ms 468 ms 469 ms if-ae-11-2.tcore1.pvu-paris.as6453.net [80.231.1
53.49]
13 544 ms 529 ms 529 ms ae-7.r04.parsfr01.fr.bb.gin.ntt.net [129.250.8.1
]
14 553 ms 551 ms 549 ms ae-23.r24.amstnl02.nl.bb.gin.ntt.net [129.250.4.
137]
15 556 ms 550 ms 554 ms ae-0.a01.amstnl02.nl.bb.gin.ntt.net [129.250.4.3
9]
16 547 ms 552 ms 550 ms xe-0-1-0-6.r02.amstnl02.nl.ce.gin.ntt.net [212.1
19.24.166]
17 551 ms 549 ms 537 ms 185.82.208.246
18 539 ms 549 ms 550 ms 23.111.28.129
19 554 ms 550 ms 551 ms se-ams1-l49-r1.servers.com [23.111.89.49]
20 539 ms 549 ms 511 ms 188.42.140.100
Trace complete.
netherrland and amsterdam are the place of servers. i removed the ips of bsnl purposefully.
C:\Windows\system32>
for script and code analyers to check
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>tracert www.naganoadigei.com
Unable to resolve target system name www.naganoadigei.com.
C:\Windows\system32>tracert google.com
Tracing route to google.com [172.217.163.174]
over a maximum of 30 hops:
1 2 ms 1 ms 2 ms 192.168.1.1
2 306 ms 318 ms 318 ms bsnl
3 290 ms 340 ms 378 ms static.ill.218.248.61.146/24.bsnl.in [218.248.61
.146]
4 345 ms * 323 ms bsnl1
5 306 ms * 143 ms bsnl
6 326 ms 320 ms 321 ms 72.14.205.109
7 342 ms 339 ms 339 ms 74.125.242.129
8 333 ms 339 ms 339 ms 209.85.248.181
9 341 ms 319 ms 340 ms maa05s05-in-f14.1e100.net [172.217.163.174]
Trace complete.
C:\Windows\system32>tracert naganoadigei.com
Tracing route to naganoadigei.com [188.42.140.100]
over a maximum of 30 hops:
1 2 ms 1 ms 2 ms 192.168.1.1
2 336 ms 318 ms 339 ms 117.193.208.1
3 337 ms 300 ms 284 ms static.ill.bsnl.bsnl.in bsnl
.122]
4 329 ms 319 ms * bsnl
5 * 327 ms * bsnl
6 333 ms 339 ms 338 ms 115.110.161.209
7 338 ms 338 ms 339 ms 172.31.167.45
8 351 ms 342 ms 341 ms 172.25.81.134
9 350 ms 360 ms 360 ms ix-ae-0-4.tcore1.mlv-mumbai.as6453.net [180.87.3
8.5]
10 456 ms 445 ms 505 ms if-ae-5-2.tcore1.wyn-marseille.as6453.net [80.23
1.217.29]
11 453 ms 466 ms 466 ms if-ae-8-1600.tcore1.pye-paris.as6453.net [80.231
.217.6]
12 451 ms 468 ms 469 ms if-ae-11-2.tcore1.pvu-paris.as6453.net [80.231.1
53.49]
13 544 ms 529 ms 529 ms ae-7.r04.parsfr01.fr.bb.gin.ntt.net [129.250.8.1
]
14 553 ms 551 ms 549 ms ae-23.r24.amstnl02.nl.bb.gin.ntt.net [129.250.4.
137]
15 556 ms 550 ms 554 ms ae-0.a01.amstnl02.nl.bb.gin.ntt.net [129.250.4.3
9]
16 547 ms 552 ms 550 ms xe-0-1-0-6.r02.amstnl02.nl.ce.gin.ntt.net [212.1
19.24.166]
17 551 ms 549 ms 537 ms 185.82.208.246
18 539 ms 549 ms 550 ms 23.111.28.129
19 554 ms 550 ms 551 ms se-ams1-l49-r1.servers.com [23.111.89.49]
20 539 ms 549 ms 511 ms 188.42.140.100
Trace complete.
netherrland and amsterdam are the place of servers. i removed the ips of bsnl purposefully.
C:\Windows\system32>
I am blocking the websites from which js is getting injected. So if you block them say bye to even advert pop ups. Works for me. U should try.
rajujayaraman
Newbie
Hi,admin what has happened to this forum access. Yesterday from evening to night I tried but err connection timed out . Could access act fibre net forum topic only once. But no navigation possible there also. other internet sites no problem. Please any maintenance. But no alert of that either
rajujayaraman
Newbie
Not for 15 minutes. I said from evening to night. Did you check.
I'm getting redirected to http://172.30.3.134:9090/ssssnpm/prime.html
