I'm using linux mint tara. When I browse through firefox, occasionally an encrypted script is getting injected into the page that I'm browsing. When clicked anywhere on the page opens a popup ad. How do I detect, debug or get rid of this?
It uses several domains to inject encrypted scripts, following are few captured on metalstorm.net.
producebreed.com/rhZuYJzPiF4A/7259?ndn=ch1
allashail.club/rOE2tc1PoS95dtt/6921?ndn=ch1
There are others in other sites which take to same kind of popup, all of which finally leads to this same ad.
www.flipkart.com/?affid=galaksion&affExtParam1=675DF0D0-F015-11E9-AD30-A5250CAA7799&affExtParam2=23011
I'm stunned. I have replaced default firefox with tarball but this malware activity still persists. I use two addons on firefox (Dark Reader by Alexander Shutau and Little Proxy by addONDeveloper).
Is it sites' fault or is it injecting from my system? How can I debug my system if it some malware on my system?
Update:- (1)
After being paranoid of my first linux setup, attempted the same on Windows 10 and was able to reproduce the ad popups. Now I have arrived at an assumption that it was either injected by wireless router (using TP LINK) or by ISP.
Observations:-
Could reproduce on http sites but not on https sites of same domain.
Adblock plus was not able to block some of its domains.
On linux it shows a redirect to affiliate link (posted above), but on windows it shows a popup to install firefox update by clicking a flashy link (lol), must be an adware/malware. The adscript redirect flow was
- beebuyart.club/rEf9VJuYlrzh/6934?ndn=ch1
- bumcapale.site/itBijexW4tbTS9g8xadln/3276?param_2=6934
- operateextremelyswiftsoftware.icu/ztqvfI7dezj3gbC3YoH5Y_zIsFAxcXiBNPSK8NeX69I?clck=12819_11387_31571234720101895&sid=s33371587
I'll post the answer myself if I'm able to debug my router or check if ISP is injecting scripts. Please suggest if you know of tools to debug source of this adscript.
Update:- (2)
After browsing for articles related to the ISP in question (BSNL), found plenty of questions in SE and a reddit thread.
Reddit thread
https://www.reddit.com/r/IndiaSpeaks/comments/a9nsoz/bsnl_is_not_injecting_the_ads_into_our_http/
Related
Blocking the ISP's ads appearing after a possible DNS grab and redirect via port 53?