I took my laptop to a local restaurant yesterday to do some work setting up a new web app. I get the server in place, and created a simple HTML page:
<html>
<body>Hello, world.</body>
</html>
I start the server (Jersey), and then issue the following command to make sure everything is working properly:
curl http://localhost:8080/assets/index.html
Imagine my surprise when instead of my simple document I see the following returned:
<html lang="en" xml:lang="en"><!PAGEREF 1>
<head><title>Eguide</title>
<script type="text/javascript" src="/all/rootscript.js"></script>
<script type="text/javascript" src="/cobrandscript.js"></script>
</head>
<!--
/yp/home.htm
<a href="http://webmailtest.bellsouth.net" target=_top>Webmail test</a>
v. 2.8b srv24
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="refresh" content="0;URL=http://home.bellsouth.net">
</head>
<body>
</body>
</html>
<html>
<body>Hello, world.</body>
</html>
My document is there at the bottom, but before that there is a mess of code that has somehow been injected. My first thought was to grep my system for some of the strings contained in the resultant HTML (e.g. grep -ri cobrandscript run from the root directory) . There were no files on my system that were suspect. So, I turn off my wifi and issue the same curl command. This time, my 3-line HTML document is then returned, without any of the additions.
It appears that the ISP is injecting HTML into an HTML document which is being served from localhost.
My question is: how is this possible? This is content being served by localhost; this implies that a request to localhost is in fact hitting the outside network, at least when connected, and that behavior seems grossly incorrect to me.
