8
2
Since this morning strange advertisement is appearing on top of many pages I open in webbrowser (see screenshot at the end). It's happening in any browser (tested FF, IE and Chrome), on any of three machines in our household, even on iPhone (no matter if connected on Wi-Fi or cellular network [not true in the end, see my answer]). Even on Debian system run in VMWare.
Sometimes the ads do not appear in Firefox, but appear in IE. Sometimes they do not appear on iPhone when connected on cellular, but appear when connected on Wi-Fi. But mostly they appear in any case. On some pages the issue corrupts a page rendering.
The advertisement is identical in every case. The same tree banners, except for Amazon banner changing the product. On iPhone the Amazon banner does not load. On some pages the set of ads repeat two or more times.
Some of the pages the problem is happening with:
- superuser.com (any SE site)
- instagram.com
- pinterest.com
- ask.com (ads appear twice)
- bbc.com
Not happening on:
- google.com
- linkedin.com
- youtube.com
- cnn.com
- microsoft.com
(though the lists can be affected by random component of the problem).
The ads are rendered by HTML code injected just after an opening <body>
tag. The code is not present in the HTML itself. But I can see it, when inspecting the page in browser dev tools (e.g. Inspector tool in Firefox), so it's likely generated by some JavaScript. The code is attached at the end of this post. Once the page renders the browser starts connecting to 85.25.138.211.
I do not have any unwanted plugins in the browser(s). Nor I identified any adware/malware on my machine(s). I didn't even expect that, as the problem occurs on iPhone too.
It feels like I got hacked. But I cannot imagine how such hack would work, since it affects different systems (Windows, iOS, Debian). I considered having router hacked, but it also does not seem likely as the issue persist even when I disconnect the iPhone from Wi-Fi. I considered that someone exploited some bug in JavaScript library that all affected pages share. But in that case the issue would be widespread, not just happening to me. But I was not able to find any report of such problem by anyone else [not true in the end, see my answer].
Does anyone have any idea, why this is happening?
<body class="user-page new-topbar" lang="">
<div align="center">
<a title="wygladzanie zmarszczek" rel="nofollow" href="http://track.impreskin.pl/product/ImpreSkin/?uid=21002&pid=153&bid=1659">
<img alt="wygladzanie zmarszczek" src="http://track.impreskin.pl/banner/?uid=21002&pid=153&bid=1659"></img>
</a>
</div>
<div align="center">
<iframe width="728" height="90" frameborder="0" style="border:none;" marginwidth="0" border="0" scrolling="no" src="http://rcm-na.amazon-adsystem.com/e/cm?t=hsiang-20&o=1&p=48&l=ur1&category=electronicsrot&f=ifr&linkID=BXR7UA243P4D75JE">
#document
<html>
<head></head>
<body>
<div id="wrap">
<object width="728" height="90" align="middle" codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
<!--
Tags used by MSIE Rendering engine
-->
<param value="http://ecx.images-amazon.com/images/G/01/associates/2011/ban…vacyTarget=_top&privacyURL=http://www.amazon.com/gp/dra/info" name="movie"></param>
<param value="high" name="quality"></param>
<param value="transparent" name="wmode"></param>
<param value="#FFFFFF" name="bgcolor"></param>
<param value="all" name="allowNetworking"></param>
<param value="always" name="allowScriptAccess"></param>
<!--
Tags used by Mozilla Rendering engine
-->
<embed width="728" height="90" pluginspage="https://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" allowscriptaccess="always" allownetworking="all" bgcolor="#FFFFFF" wmode="transparent" quality="high" src="http://ecx.images-amazon.com/images/G/01/associates/2011/ban…vacyTarget=_top&privacyURL=http://www.amazon.com/gp/dra/info"></embed>
</object>
</div>
<script></script>
</body>
</html>
<!--
autogen flash template V 0.1311154052
-->
</iframe>
</div>
<div align="center">
<!--
default
-->
<div id="ca-block-2228" class="ca-block"></div>
</div>
Which router? Had you updated the firmware to the most recent version? – K7AAY – 2014-10-26T22:31:08.573