BSNL is inserting ads in websites, sending their users to malware sites through malware code injection

[abbyck]

@rajujayaraman It was the real Flipkart site. I can confirm that. Like @pothi does I'm also running a DNS server locally behind a custom pfSense router.
It has nothing to do with DNS. DNS is just a registry in which you can search for domains. Also if DNS services like GoogleDNS, Cloudflare were compromised to return malware websites the change would be global. Not only we BSNL/MTNL users will face this issue, everyone will.
This malware is activated by a click. Because after 2015 chrome and other browsers stopped allowing web pages to execute some things like this without an initial user interaction. I've posted a Pastebin link above which contains the contents of that obfuscated code that runs to redirect and open those malware pages.

After referring to most of those web pages we can confirm that the ads are provided by a firm called "Mindspark interactive". Not sure whether they are running these campaigns for BSNL.

I've checked with LCOs and they all seem to be using Chinese non-branded or Chinese rebranded OLTs and ONUs. A strong doubt that I have is whether these ONUs or OLTs were compromised to inject those scripts in non-secure web pages.
An engineer from BSNL paid a visit to my home today and I've explained these things to him. He is as surprised as we're and said if BSNL is doing this then they are breaking their policy and he will check on this.

I'm wondering if BSNL is purposefully doing this why can't they admit?

 

[rajujayaraman]

Hi, tracert command to naganoadigei.com and mutualvehemence.com
for script and code analyers to check
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>tracert www.naganoadigei.com
Unable to resolve target system name www.naganoadigei.com.

C:\Windows\system32>tracert google.com

Tracing route to google.com [172.217.163.174]
over a maximum of 30 hops:

1 2 ms 1 ms 2 ms 192.168.1.1
2 306 ms 318 ms 318 ms bsnl
3 290 ms 340 ms 378 ms static.ill.218.248.61.146/24.bsnl.in [218.248.61
.146]
4 345 ms * 323 ms bsnl1
5 306 ms * 143 ms bsnl
6 326 ms 320 ms 321 ms 72.14.205.109
7 342 ms 339 ms 339 ms 74.125.242.129
8 333 ms 339 ms 339 ms 209.85.248.181
9 341 ms 319 ms 340 ms maa05s05-in-f14.1e100.net [172.217.163.174]

Trace complete.

C:\Windows\system32>tracert naganoadigei.com

Tracing route to naganoadigei.com [188.42.140.100]
over a maximum of 30 hops:

1 2 ms 1 ms 2 ms 192.168.1.1
2 336 ms 318 ms 339 ms 117.193.208.1
3 337 ms 300 ms 284 ms static.ill.bsnl.bsnl.in bsnl
.122]
4 329 ms 319 ms * bsnl
5 * 327 ms * bsnl
6 333 ms 339 ms 338 ms 115.110.161.209
7 338 ms 338 ms 339 ms 172.31.167.45
8 351 ms 342 ms 341 ms 172.25.81.134
9 350 ms 360 ms 360 ms ix-ae-0-4.tcore1.mlv-mumbai.as6453.net [180.87.3
8.5]
10 456 ms 445 ms 505 ms if-ae-5-2.tcore1.wyn-marseille.as6453.net [80.23
1.217.29]
11 453 ms 466 ms 466 ms if-ae-8-1600.tcore1.pye-paris.as6453.net [80.231
.217.6]
12 451 ms 468 ms 469 ms if-ae-11-2.tcore1.pvu-paris.as6453.net [80.231.1
53.49]
13 544 ms 529 ms 529 ms ae-7.r04.parsfr01.fr.bb.gin.ntt.net [129.250.8.1
]
14 553 ms 551 ms 549 ms ae-23.r24.amstnl02.nl.bb.gin.ntt.net [129.250.4.
137]
15 556 ms 550 ms 554 ms ae-0.a01.amstnl02.nl.bb.gin.ntt.net [129.250.4.3
9]
16 547 ms 552 ms 550 ms xe-0-1-0-6.r02.amstnl02.nl.ce.gin.ntt.net [212.1
19.24.166]
17 551 ms 549 ms 537 ms 185.82.208.246
18 539 ms 549 ms 550 ms 23.111.28.129
19 554 ms 550 ms 551 ms se-ams1-l49-r1.servers.com [23.111.89.49]
20 539 ms 549 ms 511 ms 188.42.140.100

Trace complete.
netherrland and amsterdam are the place of servers. i removed the ips of bsnl purposefully.

C:\Windows\system32>

 

[vishalrao]

what is the point of traceroute? how is that relevant here?

 

[demberto]

That would make sense if you are running one PC.

It wont be possible to block on Android and other devices as easily.

DD-WRT will block it via the source, at the router.

Javascript injection will use an if/else approach, if you block a few sites it's not going to stop the script from finding and executing sites that will load.

It's not as simple as it seems.

Just sharing thoughts!

I am blocking the websites from which js is getting injected. So if you block them say bye to even advert pop ups. Works for me. U should try.

 

[rajujayaraman]

Hi,admin what has happened to this forum access. Yesterday from evening to night I tried but err connection timed out . Could access act fibre net forum topic only once. But no navigation possible there also. other internet sites no problem. Please any maintenance. But no alert of that either

 

[Sushubh]

BSNL users were facing issues yesterday. There is a thread on that. Forum did went down for a while last night but that was a temporary issue for 15 or so minutes.

Good to know that the issue is resolved for you!

 

---

[rajujayaraman]

Not for 15 minutes. I said from evening to night. Did you check.

 

[Sushubh]

That was a bsnl specific issue faced by many users here on the forum. If it happens again, please post details in the other thread so that my techie friend can investigate

 

[NikhilS]

I'm getting redirected to http://172.30.3.134:9090/ssssnpm/prime.html

 

[NikhilS]