Is my State-Telecom injecting this Alien script?

[saurabhdua]

Hello folks!

 

Please help me narrow-down on this 'Alien-script' warning showing up against the Speed-Test on DSL Reports website.

 

The II reference is also a kind of 'never seen' before instance!

 

What I can ascertain on this is :-

 

(1) My computer is clean as I run regular scans of Malwarebytes.

(2) The warning & the respective advert is pertinent to my Browsing sessions with the State-Telecom ( MTNL) only & not with my alternative Service provider (Hathway) .

 

So how to assess this case further?? Please suggest? 

 

Thank you.

[adrynalyne]

11 minutes ago, saurabhdua said:

Hello folks!

 

Please help me narrow-down on this 'Alien-script' warning showing up against the Speed-Test on DSL Reports website.

 

The II reference is also a kind of 'never seen' before instance!

 

What I can ascertain on this is :-

 

(1) My computer is clean as I run regular scans of Malwarebytes.

(2) The warning & the respective advert is pertinent to my Browsing sessions with the State-Telecom ( MTNL) only & not with my alternative Service provider (Hathway) .

 

So how to assess this case further?? Please suggest? 

 

Thank you.

It’s called a pop up. This particular ones come from malware or less than reputable sites. 

 

No, your ISP is not injecting it. 

[saurabhdua]

12 minutes ago, adrynalyne said:

It’s called a pop up. This particular ones come from malware or less than reputable sites. 

Its not a pop-up because 'Browser-survey' page can be  seen in the background. All this shot up during making a transition via a legible hyperlink only!

 

Is 'DSL-Reports' a less reputed website?

[yxz]

seen this http://www.dslreports.com/faq/17944 ?

also try using https

[goretsky Supervisor]

Hello,

It could be that the ISP is injecting the script, that something on their network is compromised like a router or DNS servers, or a device that you use to access their network, like a modem, has been compromised.  Or, it could be a compromised browser extension, malicious DNS setting on your computer, malicious proxy server setting on your computer, malware interfering with the network stack, and so forth.

 

I could not make out the fully-qualified domain name of the site hosting the script because the address was so blurry, but here's the whois data for the BAPD.GDN network hosting the server:

 

Domain Name: BAPD.GDN

Domain ID: GD321330-GDN

WHOIS Server: whois.nic.gdn

Referral URL: http://www.nic.gdn

Updated Date: 2017-01-31T16:13:09Z

Creation Date: 2017-01-31T11:45:52Z

Registry Expiry Date: 2018-01-31T11:45:52Z

Sponsoring Registrar: Epik Holdings, Inc.

Sponsoring Registrar IANA ID: 617

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Registrant ID: BAPD58631479921-GDN

Registrant Name: Privacy Administrator 

Registrant Organization: Anonymize, Inc.

Registrant Street: PO Box 742  

Registrant City: Bellevue

Registrant State/Province: WA

Registrant Postal Code: 98009

Registrant Country: US

Registrant Phone: +1.4253668810

Registrant Phone Ext:

Registrant Fax: 

Registrant Fax Ext:

Registrant Email: [email protected]

Admin ID: BAPD58631484647-GDN

Admin Name: Privacy Administrator 

Admin Organization: Anonymize, Inc.

Admin Street: PO Box 742  

Admin City: Bellevue

Admin State/Province: WA

Admin Postal Code: 98009

Admin Country: US

Admin Phone: +1.4253668810

Admin Phone Ext:

Admin Fax: 

Admin Fax Ext:

Admin Email: [email protected]

Tech ID: BAPD58631489934-GDN

Tech Name: Privacy Administrator 

Tech Organization: Anonymize, Inc.

Tech Street: PO Box 742  

Tech City: Bellevue

Tech State/Province: WA

Tech Postal Code: 98009

Tech Country: US

Tech Phone: +1.4253668810

Tech Phone Ext:

Tech Fax: 

Tech Fax Ext:

Tech Email: [email protected]

Billing ID: BAPD58631494987-GDN

Billing Name: Privacy Administrator 

Billing Organization: Anonymize, Inc.

Billing Street:        PO Box 742  

Billing City: Bellevue

Billing State/Province: WA

Billing Postal Code: 98009

Billing Country: US

Billing Phone: +1.4253668810

Billing Phone Ext:

Billing Fax: 

Billing Fax Ext:

Billing Email: [email protected]

Name Server: NS1.DOMAINMANAGER.COM

Name Server: NS2.DOMAINMANAGER.COM

DNSSEC: Unsigned

Registrar Abuse Contact Phone: +1.4252025160

Registrar Abuse Contact Email: [email protected]

 

I would recommend blocking the script, notifying the ISP and your security software vendor as well.

 

Regards,

 

Aryeh Goretsky

 

[saurabhdua]

2 hours ago, goretsky said:

I would recommend blocking the script

Thank you so very much for such a detailed analysis!

 

Is there a reputed 'No Script' like equivalent for Chrome browsers?

 

My default is Slimjet by the way.

 

DNS servers were set to those of Google only!

 

What exactly is to be shared with my ISP to make them ponder over a probe in this regard?

 

Inputs will be sincerely appreciated.

 

Here is an another one procured earlier when I first reported this issue to Slimjet & they disowned the liability entirely citing a probable virus with some Websites.

 

 

 

[+BudMan MVC]

6 hours ago, saurabhdua said:

(1) My computer is clean as I run regular scans of Malwarebytes.

This means nothing.. All this means is malwarebytes is not finding or reporting anything - does not mean your "clean" in the least..  This is one the biggest misconceptions out there about antivirus/antimalware/security type software..   You could of agreed to this in small print in something you installed for that matter.

 

These companies get in trouble all the time for reporting stuff as bad when user selected it, at best they can report it as pup, etc.

 

For all we know the copy of the browser you download has this built in

 

But sure its possible its being injected as well.

[adrynalyne]

7 hours ago, saurabhdua said:

Its not a pop-up because 'Browser-survey' page can be  seen in the background. All this shot up during making a transition via a legible hyperlink only!

 

Is 'DSL-Reports' a less reputed website?

It is a popup. The only question is why it is there.

 

 

[+BudMan MVC]

If you want to see if its "injected" then why don't you boot to a clean OS, pick your fav linux liveCD/USB boot into that and go where your going - do still see the ######?  If not then its not being injected.

 

As to reputable sites and "bad stuff" and unwanted popups, etc..  Even the best of sites run into problems with who they pick as ad revenue streams.  Where something not so nice or clean or what users might not mind as ads gets through all the time.  Neowin has had their share of issues with their companies they work with for ads.  Some times its the ad company, sometimes its just some asshat sneaking ###### into the ad companies that goes against even the ad companies policy, etc.

 

It also seems unlikely to me that some state run ISP would inject ads or nonsense like your seeing.  I would think if they were going to be doing anything they might inject some sort of tracking stuff (depending on what "state" you live in)..  Why would a state funded ISP need to generate revenue by popping up browser survey ads??  Just makes ZERO sense to me..

 

edit: Maybe its a state run IQ test - how many users click this stupid ######   As a test of their internet safe use security training

[Circaflex]

Quote

The alien script can be one of:

An injected inline script

A URL encoded script

A chrome extension script

A remotely hosted JS script (frequently this is malware)

The warning will list the type of script found unexpectedly present.

What browser add-ons do you use? Can you try running a vanilla version of Google Chrome and visit the webpage to replicate the error?

[saurabhdua]

20 hours ago, BudMan said:

It also seems unlikely to me that some state run ISP would inject ads or nonsense like your seeing.  I would think if they were going to be doing anything they might inject some sort of tracking stuff (depending on what "state" you live in)..  Why would a state funded ISP need to generate revenue by popping up browser survey ads??  Just makes ZERO sense to me..

The State-run Telecom is in a dire state on account of their failure to upkeep & maintain their services. Would you believe that each of the employee within this Company has an unfettered access to Internet ! From the ones sitting on the Front-desk to those attending phone calls of the Customers, are all the time connected to the WWW.

 

Their own employees are in fact the largest consumers of Data & the actual Consumers are left to crib over High Latency rates, frequent dropping of Connection, unexplained Down-times..& alike!  

 

Their server rooms are left in shambles with no  Air-conditioning as well!

 

In such a scenario , 'Alien-scripts' might be getting injected either knowingly or inadvertently!

[+Nik Louch Subscriber²]

40 minutes ago, saurabhdua said:

Would you believe that each of the employee within this Company has an unfettered access to Internet ! From the ones sitting on the Front-desk to those attending phone calls of the Customers, are all the time connected to the WWW.

Yes, that wouldn't abnormal.

40 minutes ago, saurabhdua said:

In such a scenario , 'Alien-scripts' might be getting injected either knowingly or inadvertently!

The two situations do not correlate

 

[+BudMan MVC]

1 hour ago, saurabhdua said:

each of the employee within this Company has an unfettered access to Internet ! From the ones sitting on the Front-desk to those attending phone calls of the Customers, are all the time connected to the WWW.

Don't agree that would be abnormal.. Any real network with any security at all would not allow unfettered access to the internet.  But how exactly do you know this?  How do you know there not a firewall between?  While they might not be limited outbound ports, doesn't mean there is not a firewall.. Even if they have a public IP on their machines doesn't mean there is not a firewall blocking inbound unsolicited traffic, etc.

 

How do you know anything about their server room?  Do you work for them, the state?

[saurabhdua]

7 hours ago, BudMan said:

How do you know anything about their server room?  Do you work for them, the state?

The visit to their regional Consumer-care centers reveals that all! Dilapidated state of feeder-pillar boxes (offshoot junction) validate the dismal state even further!

 

Is the State-machinery in your Country also characterized with Rot, wilt & laxity?

 

Public-institutions in India wear such a characteristic attributes indeed !! Hard-reality!

[+BudMan MVC]

While state of affairs for infrastructure in the US I am sure has its doomsayers, some bridges that need some work, etc..

 

Overall no I don't think you could compare with India   And every DC I have ever worked in normally in great shape.. Now I have seen some company stuff at companies that would make you cringe..

[goretsky Supervisor]

Hello,

There are numerous script-blocking extensions for Google Chrome.  I'd suggest picking one you feel comfortable with; I don't have any specific recommendation. 

 

Regards,

 

Aryeh Goretsky

 

[Steven P. Administrators]

You also want to validate that your extensions in Chrome aren't injecting anything, one time I had "DownloadBox" installed and it injected its own ads, bypassing those on the websites I visited, they also included popups and redirects. Uninstalled it and reported the extension, it has since been removed from the Pay Store.

[xendrome]

On 7/27/2017 at 7:02 AM, saurabhdua said:

Would you believe that each of the employee within this Company has an unfettered access to Internet ! From the ones sitting on the Front-desk to those attending phone calls of the Customers, are all the time connected to the WWW.

 

 

ZOMG NO! You're telling me that a customer service rep has access to the internet while at their desk... alert the authorities...