Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
O
O
ONEGin2013-05-27 12:01:00
Burglary protection
ONEGin, 2013-05-27 12:01:00

Script substitution on the way to the client (possibly by the provider)

Hello, help me find where the file is being replaced.

Prehistory: I recently arrived in one of the provincial cities of Ukraine (Luhansk region) and was surprised to notice that on all my sites an advertising block (teaser) appeared on half a page. After a long study of the server logs and sites for traces of hacking, it turned out that the server gives clean code.

What we managed to find out: Teaser images appear for an indefinite period in the evening, on all sites (not only mine) where Ya.Metrika is located, namely, the mc.yandex.ru/metrika/watch.js file is replaced, its contents are replaced by the following pastebin. com/qujq6Ewz from a cursory glance it is clear that advertising (if it is on the site) of many large teaser exchanges is being replaced, and if there was no advertising, then it appears.

I practically exclude that this is a local substitution, according to the following arguments: ubuntu local axis (checked by clamav); works in firefox and chrome and chromium.
More info: Ping mc.yandex.ru during the substitution returns the correct IP, setting google dns did not change the situation (assumed that the ISP had the dns substitution), if you pull the script via wget, then the original is given (but maybe it just coincided), I asked for support Do they have a proxy - they said no.

Any ideas how to check where the substitution is happening?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
I
Igor, 2013-05-28
@shanker

Perhaps transparent proxying (the so-called transparent proxy) is working, which modifies traffic on the fly (a proxy provider that does not want to admit it).
Try one of these options to find out if this is the case.

Report
E
egorinsk, 2013-05-27
@egorinsk

Maybe the local neighbors are infected with a virus and are replacing something, for example, pretending to be a DHCP server. Maybe the neighbors in the LAN subsume themselves as a proxy through proxy auto-detection.
Or maybe you have some extensions installed in your browser? Nowadays, extensions are often used for such things.
In general, an interesting case.
> Any ideas how to check where the substitution is taking place?
I would look at the traffic with a program like Wireshark to begin with.

Report
H
heresik, 2013-05-27
@heresik

I put on an ADSL router.

Report
D
Dmitry Smirnov, 2013-05-27
@DimaSmirnov

It is quite possible for the provider to replace ad units. If the provider makes forced redirection of web traffic to its proxy.
In squid, there is such an opportunity.
You can find out using the directive (if memory serves): X_FORWARDED_FOR.
Yes, and the IP will not be your NAT (unless, of course, they all have more than one machine), but the proxy IP, when entering a speedtest thread.

Similar questions
L
lolrofl012019-01-08 21:38:46
Are there WiFi interceptors? 4Reply
R
Rag'n' Code Man2020-10-27 21:21:53
Are there apps for two factor codes on PC? 0Reply
K
krll-k2014-07-31 20:23:58
I am writing a test that requires authentication on the side. Which HTTP traffic analyzer for Linux do you recommend? 2Reply
D
del9937882016-09-11 03:41:13
How do hackers withdraw money from cryptocurrencies? 3Reply
M
Marina982016-09-28 14:17:08
I get hacked all the time, what should I do? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question