NS prevented script hosted from an unknown IP, hijack?

[milithruldur]

Hi,

I just started noticing that my browser is trying to make the same connection to an unknown ip address, 58.71.5.205, on TWO SEPARATE websites now, minitheatre.org and myce.com.

The connection to the first website is as follows:

Code: Select all

http://58.71.5.205/n/c1325aeb1b02b0a8c34e9e5707f576d5.js?q=CCKn8pUp8r72G2dzMW1mKKOO3uJ1KDY5w1LKL9hs1V3fh3b2akpt6wPSn%2FeRDX6Toj2P3ilCodQ%2F8omGULMQmJZpDB0UnXgm5UbP6n3S870%3D|1440559191|6aa5a1bed0499f2976da61f2c6193d85&url=http%3A%2F%2Fminitheatre.org%2Fplugins%2Fsystem%2Fyvbbcode%2Fdefault.js

And the second one is this:

Code: Select all

http://58.71.5.205/n/c1325aeb1b02b0a8c34e9e5707f576d5.js?q=8jFohphEkiKg%2FEn9I8ixJaOO3uJ1KDY5w1LKL9hs1V3fh3b2akpt6wPSn%2FeRDX6Toj2P3ilCodQ%2F8omGULMQmJZpDB0UnXgm5UbP6n3S870%3D|1440559843|b02d424c3e2797c5d9e5841644640915&url=http%3A%2F%2Fs3.amazonaws.com%2Fcc.silktide.com%2Fcookieconsent.latest.min.js

I can provide a pastebin link to the source codes of the sites if visiting them is undesirable, but I wonder, is someone (my ISP?) hijacking my http connections?

[milithruldur]

Here's the link to the first script source code http://pastebin.com/pqRfe44g

and here's the link to the second script source code http://pastebin.com/E86WXhY8

Could someone tell me who knows how to read the JS source codes above what the nature of the hijack is, if it is even a hijack?

[barbaz]

Reading through minified JS gives me a headache, but I'd suggest you scan your system for malware per General Troubleshooting Instructions #2 because this smells fishy to me. (The output of `dig 58.71.5.205` is uninformative...)

Can someone who does *not* see this, upload the real scripts (the ones in the url parameter of those URLs) to pastebin as well, for comparison? I would suspect this IP is proxying legitimate scripts to modify them somehow.

[Rollo]

Can someone who does *not* see this, upload the real scripts (the ones in the url parameter of those URLs) to pastebin as well, for comparison? I would suspect this IP is proxying legitimate scripts to modify them somehow.

Not sure if this is what you were asking for, but:

Site_1

Code: Select all

http://minitheatre.org

Script source:
http://minitheatre.org/plugins/system/yvbbcode/default.js

I get:
http://pastebin.com/CJdcxGHC

Site_2

Code: Select all

http://myce.com

Script source:
s3.amazonaws.com/cc.silktide.com/cookieconsent.latest.min.js

I get:
http://pastebin.com/sTQnXxRm

I'm putting all this stuff under the "code" tag because of the spam filter.

[yes_noscript]

minitheatre with the js script looks clean. Test with NoScript Security and Privacy Info links, VirusTotal, sitecheck.sucuri.net and wepawet.iseclab.org

myce looks clean too, but not the js script: https://www.virustotal.com/de/url/dfb84 ... 440617941/
Anyway maybe its a false posivitv.

[barbaz]

@Rollo: Yes that's it, thanks. Looks like this mystery IP is stuffing a TON of code after the real script & serving it as one package.

[milithruldur]

Hi all,

Thank you for looking into this.

A whois 58.71.5.205 on my system results in:

Code: Select all

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '58.71.0.0 - 58.71.127.255'

inetnum:        58.71.0.0 - 58.71.127.255
netname:        IPG
descr:          IPG
descr:          Philippine Long Distance Telephone Company
country:        PH
admin-c:        RR5-AP
tech-c:         JG149-AP
status:         ALLOCATED PORTABLE
mnt-by:         APNIC-HM
mnt-lower:      PHIX-NOC-AP
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-irt:        IRT-PLDT-PH
changed:        hm-changed@apnic.net 20050401
changed:        hm-changed@apnic.net 20050412
changed:        hm-changed@apnic.net 20150602
source:         APNIC
<snip>

After a search for IPG around the net, it appears that IPG stands for Interpublic Group, with a website located at https://www.mbww.com/. From the site, it appears that IPG is some sort of advertising/analytics company:

A proven entity in helping clients maximize business results through integrated, intelligence-driven marketing strategies, IPG Mediabrands is committed to driving automated buying, pay-for-performance and digital innovation solutions through its network of media agencies including UM, Initiative, BPN, Orion Holdings, and ID Media. Its roster of specialty service agencies including MAGNA GLOBAL, Ansible, Cadreon, Reprise, Mediabrands Audience Platform, Mediabrands Publishing, IPG Media Lab, Ensemble, and Identity offer technologies and industry moving partnerships that are recognized for delivering unprecedented bottom line results for clients.

So it looks like my ISP (PLDT) is somewhat trying to shove some advertising, or worse tracking, crap into some of my http connections. Thankfully NS prevented this from happening. With this behavior, I can appreciate and am more convinced about the the call to deperecate non-secure http [1], or at least have all sites run https using a free, open certificate authority [2], if commercial certificate authorities are beyond their means. The surprising thing about this is that after a couple of hours, I no longer get connections being made to said IP address.

@barbaz

Could you look into my account, braveheartleo? When I tried to log-in my account, I'm greeted with a "The specified username is currently inactive. If you have problems activating your account, please contact a board administrator." I wonder why my username became inactive. Is it because I haven't log-in after a while?

Thank you.

[1] https://blog.mozilla.org/security/2015/ ... cure-http/
[2] https://letsencrypt.org/

[barbaz]

The board broke your link, to avoid that place it in url tags, like this

Code: Select all

[url]link here[/url]

(but I think that one it's the same as in viewtopic.php?f=18&t=20869)

@barbaz

Could you look into my account, braveheartleo? When I tried to log-in my account, I'm greeted with a "The specified username is currently inactive. If you have problems activating your account, please contact a board administrator." I wonder why my username became inactive. Is it because I haven't log-in after a while?

Thank you.

I can't find your account & there are no posts here under that name, so if you are *sure* you registered here, this is a matter for the Admin, Giorgio Maone. We Mods can't do much with accounts.
What I can do though is once your account is up & working, put your guest posts under it if you want.

[braveheartleo]

The board broke your link, to avoid that place it in url tags, like this

Code: Select all

[url]link here[/url]

(but I think that one it's the same as in viewtopic.php?f=18&t=20869)

@barbaz

Could you look into my account, braveheartleo? When I tried to log-in my account, I'm greeted with a "The specified username is currently inactive. If you have problems activating your account, please contact a board administrator." I wonder why my username became inactive. Is it because I haven't log-in after a while?

Thank you.

I can't find your account & there are no posts here under that name, so if you are *sure* you registered here, this is a matter for the Admin, Giorgio Maone. We Mods can't do much with accounts.
What I can do though is once your account is up & working, put your guest posts under it if you want.

Hi,

Thanks for the tip. Regarding my account, it was inactive because I hadn't activated my account, and when I looked in my inbox, I saw the activation link dated December 2014, and here I am now.

I guess you can add my story to your growing anecdotes of NS success stories. This little incident also highlights the dangers of unencrypted connections, and how you cannot really trust even your ISP, that it can manipulate/monitor your traffic in the open transparently at will.

[braveheartleo]

UPDATE: it looks like it hasn't really stopped, but merely manifested itself in other websites. I still see script requests to said unknown IP adddress.

For good measure, I have opted to block ANY request to the IP block that the unknown IP address belongs to on my OpenWRT router:

Code: Select all

iptables -A forwarding_rule -d 58.71.0.0/18 -j reject

[Thrawn]

That's a good move. Note that NoScript won't block all traffic to those IPs, merely active content, so they could still track you via images, stylesheets, etc.