Jump to content

Random i_Bongacash javascript injection

Rich_Philp
 Share

Recommended Posts

Rich_Philp

Rich_Philp

Posted
Posted

Hi All,
I'm new to these forums, so if this posted incorrectly, please feel free to move it.
One of my Clients has been "infected" with a odd malware. The symptoms are:

Sites that redirect to another site are effected.
A Porn popup from i_Bongacash pops up a small window at the bottom right of the window featuring a unwanted video clip.
Its a small box that allows you to close it. what else it does when closed, I'm not sure.
I was able to reproduce this on one computer regularly. While it was up, I brought up the source code for the site, which also showed the source for the pop up as well. I was even able to watch as I refreshed the page, and the code appeared out of nowhere.
The code is Javascript. The code first referenced bc-promo.com (or promo-bc.com). It then pulled down a small clip, from i_bongacash.com into the small window. I have the source, but wont post it here for obvious reasons.

It must have come from one computer and spread. But as it doesn't seem to a virus or malware.....

Things I have tried to find out what is causing this:
Bitdefender, Webroot, Malwarebytes, hitmanpro. None of these programs found anything on the computers.
Bitdefender is currently running on the server and one other machine. Server doesn't have any other AV or AM software running.

Things I have done to workaround this:
Added 4 different IP addresses to the Sonicwall block any traffic going to them. 3 addresses found by nslookup of i_bongacash.com, another one that Malwarebytes was blocking. Not sure if this has stopped it. If it has, then I need to find out how this happened or is happening. Very odd how some code can just be injected seemingly out of no where into a page.

Its not an extension, not a program running in the background. if it was either, I would see a strangely named process running, and/or one of the above programs should have picked it up.

Could it be the Sonicwall been infected and doing the injection?
They also have a Microtek router that sites between the internet and the Sonicwall.
I'm running out of ideas as to what to try.

Has anyone come across anything like this? Its very odd, and hard to explain completely.
Thank you,
Rich

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

A Porn popup from i_Bongacash pops up a small window at the bottom right of the window featuring a unwanted video clip.

This looks like Adds from the notifications on the bottom and  right side of some pages.
Next time you see an add click on the notice on the right of the task bar.
If you see a setting wheel open it and change the setting to stop the notifications.

How to Disable Notifications in Google Chrome
https://gadgets.ndtv.com/apps/features/how-to-disable-notifications-in-google-chrome-643057

Add the site to your block list.

Additional information:
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/
=====

Please post the Fixlog.txt and let me know if the problem persists.
 

fixlist.txt

Link to post
Share on other sites
Rich_Philp

Rich_Philp

Posted
  • Author
Posted

Hi,

The problem was the Mikrotek router pointed out another poster on another forum. Notes on how I diagnosed it below:

 I went back on site last night, plug the laptop directly into the router. Soon enough the popups came up. 

it is the Mikrotek router. thank you for your reply to the message, and pointing me to it.

Mikrotek version is 4.39 so this is the patch just after the fix patch. The other odd thing, is that I can't manage it. It times out when trying to access it through HTTP and Winbox. Winbox finds it under neighbours, just cant connect.

 

Thank you

Rich

Link to post
Share on other sites
Rich_Philp

Rich_Philp

Posted
  • Author
Posted

Hi Nasdaq,

  I just removed it, and set the Sonicwall up to do both internet and the phone line (SIP line). Easy enough to do, so we didn't need the Mikrotik at all in the end.

As these routers have had this problem, I have lost faith in them, and glad we can do without it.

Thank you,

Rich

Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept