Unusual entries found in page source when "view page source": view-source:https://fleatechoz.webthings.io/things

WebThings
#1

Hi all.
Still sorting things out from my last post relating to Mesh Networks and WebThings… To be updated.

In the mean tine, curiosity led me to looking at what the page code contains for my page, as it seemed to be very slow recently.

What I found was disturbing, to say the least. To begin with, we have a LARGE block section that begins with;

class=hidden> [
… and ends with ;
]{ display: none !important }

Within this block I have found hundreds of entries, a few listed below…

href^="http://join.shemale.xxx/"],a[href^="http://www.afgr2.com/"],[href^="https://www.brighteonstore.com/products/"] img,a[href^="https://go.goasrv.com/"],a[href^="https://www.arthrozene.com/"][href*="?tid="],a[href^="https://adserver.adreactor.com/"],a[href^="https://refpazkjixes.top/"],a[href^="https://adclick.g.doubleclick.net/"],a[href^="http://vinfdv6b4j.com/"],a[href^="https://go.tmrjmp.com"],a[href^="https://twinrdsyn.com/"],a[href^="http://keep2share.cc/pr/"],a[href^="http://see-work.info/"],a[href^="https://ak.hetaruwg.com/"],[data-ad-manager-id],div[jsdata*="CarouselPLA-"][data-id^="CarouselPLA-"],[href^="http://misslinkvocation.com/"],[href^="https://www.avantlink.com/click.php"] img,a[href^="http://get.slickvpn.com/"],div[data-native_ad],a[href^="http://xtgem.com/click?"],a[href^="https://frameworkdeserve.com/"],a[href^="https://fakelay.com/"],a[href^="http://go.fpmarkets.com/"],[href^="http://join.shemalepornstar.com/"],[href^="https://kingered-banctours.com/"],[href*="incentrev.com/"] img,a[href^="http://clicks.binarypromos.com/"],a[href^="http://pubads.g.doubleclick.net/"],a[href^="https://www.kingsoffetish.com/tour?partner_id="]

This is only a small portion of what was found. Is this injected at the server end or do I have an issue of a trojan somewhere.

I really have no idea why this is there. If anyone would like to look at the whole contents, I can share via Google Drive.

Any ideas?

#2

Could you please provide the file/page where you find edit sorry i didnt see it was in the title, is the content appear also using the local ip instead of the proxy ?

#3

Hi Martin.

This was viewed whilst going through the proxy to access my Thing Server at

https://fleatechoz.webthings.io/things

Then using "view page source in Firefox, the URL is

view-source:https://fleatechoz.webthings.io/things

The complete list is very long, with the unusual hidden stuff at the end.

#4

This is likely injected by an extension like an adblocker.

#5

Odd, as I do not have an adblocker running. I do use “Privacy Badger” as a plugin on Firefox?
This very long “list” slows down the RPi WebThing server.

#6

Can you try with the local address and not the gateway sddress?

#7

I loaded your “/thing” web page and inspected the login page using F12. It loaded correctly and completed without any injected web sites. As others proposed, check your browser configuration/addons or simply use another browser…

#8

Will try local when I get back home tonight.
Thanks.

#9

I just checked the “login” page for my Gateway, the injected sites appear within the “login” page.
Conversly, checking the “local” version, no injected sites appear.
I currently use Firefox version 103.0.1 (64-bit) with the only active plugin being Privacy Badger.
I’ll try Chrome next.

#10

Just tested with Chrome, Version 104.0.5112.80 (Official Build) (64-bit). The injected sites appear within the “login” page.
This is starting to look serious.

#11

Also try in private browsing since some addon are disabled

#12

Thanks for the idea. Will do…

#13

Ok. Now the panic sets in. The hidden injected lines appear within a Private Window of the “login” page. This is bizarre and warrants further investigation.

#14

Hello, i go to your login page, and this is what i got:


>  > <!doctype html> <html> <head> <meta charset=utf-8> <meta name=viewport content="width=device-width,initial-scale=1"> <meta name=theme-color content=#75AACF> <title data-l10n-id=login-title>Login - WebThings Gateway</title> <link rel=manifest href=[/app.webmanifest](https://fleatechoz.webthings.io/app.webmanifest)> <link rel=icon href=[/images/icon.png](https://fleatechoz.webthings.io/images/icon.png) type=image/png /> <link rel=stylesheet type=text/css href=[/css/app.css](https://fleatechoz.webthings.io/css/app.css) /> <link rel=stylesheet type=text/css href=[/css/user-form.css](https://fleatechoz.webthings.io/css/user-form.css) /> </head> <body> <img id=wordmark data-l10n-id=wordmark src=data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA2OC4yODQgMTYuOTMzIiBoZWlnaHQ9IjY0IiB3aWR0aD0iMjU4LjA4MSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTI2MDUuNjkgLTc2OTkuODIyKSBzY2FsZSgxLjY0MjEyKSI+PHJlY3Qgcnk9IjEuMzIzIiByeD0iMS4zMjMiIGhlaWdodD0iMTAuMzAxIiB3aWR0aD0iMTAuMzAxIiB5PSI0Njg4Ljk2MyIgeD0iMTU4Ni43ODgiLz48ZyBzdHJva2Utd2lkdGg9IjIuMzAxIiBjb2xvcj0iIzAwMCIgZmlsbD0iI2ZmZiI+PHBhdGggZD0iTTE1OTIuNzg4IDQ2OTQuNTAyYTEuMzM3IDEuMzM3IDAgMDEtMS4zMzggMS4zMzcgMS4zMzcgMS4zMzcgMCAwMS0xLjMzNy0xLjMzNyAxLjMzNyAxLjMzNyAwIDAxMS4zMzctMS4zMzggMS4zMzcgMS4zMzcgMCAwMTEuMzM4IDEuMzM4em0uMzI3LTMuMDEzYS44MS44MSAwIDAxLS44MS44MS44MS44MSAwIDAxLS44MS0uODEuODEuODEgMCAwMS44MS0uODEuODEuODEgMCAwMS44MS44MXptMi42ODcgMi4yOGEuODEuODEgMCAwMS0uODEuODEuODEuODEgMCAwMS0uODEtLjgxLjgxLjgxIDAgMDEuODEtLjgxLjgxLjgxIDAgMDEuODEuODF6bS0xLjM0NCAyLjk3MWEuODEuODEgMCAwMS0uODEuODEuODEuODEgMCAwMS0uODA5LS44MS44MS44MSAwIDAxLjgxLS44MDkuODEuODEgMCAwMS44MS44MXptLTQuNTU5LS4zNjZhLjgxLjgxIDAgMDEtLjgxLjgxLjgxLjgxIDAgMDEtLjgxLS44MS44MS44MSAwIDAxLjgxLS44MS44MS44MSAwIDAxLjgxLjgxem0tLjIwNC00LjI3NGEuODEuODEgMCAwMS0uODEuODEuODEuODEgMCAwMS0uODEtLjgxLjgxLjgxIDAgMDEuODEtLjgxLjgxLjgxIDAgMDEuODEuODF6IiBzdHlsZT0iaXNvbGF0aW9uOmF1dG87bWl4LWJsZW5kLW1vZGU6bm9ybWFsO3NvbGlkLWNvbG9yOiMwMDA7c29saWQtb3BhY2l0eToxIiBvdmVyZmxvdz0idmlzaWJsZSIvPjxwYXRoIGQ9Ik0xNTg5Ljc0NyA0NjkyLjM2NGwtLjU0Mi41NzkuOTk4LjkzNC41NDItLjU4em00LjM3MiAxLjE4bC0xLjQ0LjI5OC4xNjEuNzc4IDEuNDQtLjI5OXptLTEuNDQ5IDEuNjM0bC0uNTY2LjU1Ni42OTQuNzA3LjU2Ny0uNTU2em0tMi41MTQtLjE1NmwtLjY4LjUzOC40OTQuNjIyLjY3OS0uNTM4em0xLjU0Ni0yLjg2MmwtLjI2OC45NDcuNzYzLjIxNi4yNjktLjk0N3oiIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWw7Zm9udC12YXJpYW50LWxpZ2F0dXJlczpub3JtYWw7Zm9udC12YXJpYW50LXBvc2l0aW9uOm5vcm1hbDtmb250LXZhcmlhbnQtY2Fwczpub3JtYWw7Zm9udC12YXJpYW50LW51bWVyaWM6bm9ybWFsO2ZvbnQtdmFyaWFudC1hbHRlcm5hdGVzOm5vcm1hbDtmb250LWZlYXR1cmUtc2V0dGluZ3M6bm9ybWFsO3RleHQtaW5kZW50OjA7dGV4dC1hbGlnbjpzdGFydDt0ZXh0LWRlY29yYXRpb24tbGluZTpub25lO3RleHQtZGVjb3JhdGlvbi1zdHlsZTpzb2xpZDt0ZXh0LWRlY29yYXRpb24tY29sb3I6IzAwMDt0ZXh0LXRyYW5zZm9ybTpub25lO3RleHQtb3JpZW50YXRpb246bWl4ZWQ7d2hpdGUtc3BhY2U6bm9ybWFsO3NoYXBlLXBhZGRpbmc6MDtpc29sYXRpb246YXV0bzttaXgtYmxlbmQtbW9kZTpub3JtYWw7c29saWQtY29sb3I6IzAwMDtzb2xpZC1vcGFjaXR5OjEiIGZvbnQtd2VpZ2h0PSI0MDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBvdmVyZmxvdz0idmlzaWJsZSIgZmlsbC1ydWxlPSJldmVub2RkIi8+PC9nPjwvZz48cGF0aCBkPSJNMjUuMDIzIDEzLjM4N2gtLjM3NHYxLjk4MmgtLjQxMWwtLjA2Ny0uNjZxLS4yMTIuMzE1LS42MDkuNTI4LS4zOS4yMDYtLjkxOC4yMDYtLjk4NCAwLTEuNTkzLS43MDUtLjYxLS43MDUtLjYxLTEuNzMzIDAtLjY5LjI5NC0xLjI0OC4zMDEtLjU2NS44MjMtLjg5Ni41MjgtLjMzNyAxLjIxMS0uMzM3LjU3MyAwIC45OTkuMTYxLjQzMy4xNTQuNzA0LjM5N2wuMTMzLjg5NS0uNDU2LjA1Mi0uMTQ2LS42NzZxLS4xOTktLjEzMi0uNDg1LS4yMzUtLjI3OS0uMTEtLjcyLS4xMS0uOCAwLTEuMjkyLjU1LS40OTIuNTUyLS40OTIgMS40MjUgMCAuODg5LjQ3IDEuNDMyLjQ3LjU0MyAxLjI1Ni41NDMuNjUzIDAgMS4wMTMtLjM1Mi4zNi0uMzYuMzYtLjc5M3YtLjQyNmgtMS4xMzh2LS40NzdoMi4wNDh6bS43OTctMS4wMzVxLjI1Ni0uMTY5LjU0Mi0uMjQyLjI4Ny0uMDc0LjYxLS4wNzQgMS4xNjcgMCAxLjE2NyAxLjA5NHYxLjU1N3EwIC4zNTIuMjguMzUyLjEyNCAwIC4yMi0uMDQ0bC4wMDcuMzM4cS0uMTk4LjExLS40MjYuMTEtLjU4IDAtLjU5NS0uNjZ2LS4wMTZxLS4xNTQuMjY1LS40NC40Ny0uMjguMjA2LS42NzYuMjA2LS4zMjMgMC0uNjYtLjE5OC0uMzMtLjE5OS0uMzMtLjcyIDAtLjYxNy40ODQtLjgwNy40OTItLjE5OSAxLjA0Mi0uMTk5LjE0NyAwIC4yOTQuMDA4LjE1NC4wMDcuMjg2LjAyMnYtLjI5NHEwLS4zNTItLjE1NC0uNTczLS4xNDctLjIyLS41ODctLjIyLS4zNiAwLS42MzIuMTMybC0uMTI1LjU2NS0uNDI1LS4wNXptMS44MDUgMS43OTF2LS4yNXEtLjE0LS4wMDctLjI5My0uMDIxLS4xNTUtLjAxNS0uMzE2LS4wMTUtLjM2NyAwLS42NjguMTE3LS4yOTQuMTEtLjI5NC40OTIgMCAuMzE2LjE5OC40MzQuMTk4LjExNy40MTEuMTE3LjMzOCAwIC42MzItLjIzNS4zLS4yMzUuMzMtLjYzOXptMy44MjkuMzQ1cS0uMTMzLjk1NS0xLjAzNi45NTUtLjQ5MiAwLS43NTYtLjI4LS4yNTctLjI3OC0uMjU3LS43NTV2LTEuODk1aC0uNTI5di0uNDFoLjUzdi0xLjA1aC41MTN2MS4wNWgxLjI3OHYuNDFoLTEuMjc4djEuODI5cTAgLjI5My4xMjUuNDc3LjEzMi4xNzYuNDI2LjE3Ni4xOSAwIC4zNTItLjExNy4xNjktLjExOC4yNDItLjUxNHptMy4yMzEtLjA1OHEtLjA2Ni40MTgtLjQxOS43Mi0uMzUyLjI5My0uOTU0LjI5My0uNjkgMC0xLjExNi0uNDMzLS40MjYtLjQzMy0uNDI2LTEuMjI2IDAtLjc2NC40MDQtMS4yNTZ0MS4wOTQtLjQ5MnEuNjc1IDAgMS4wMjguNDI2LjM1Mi40MjYuMzYgMS4wMDYgMCAuMTktLjA0NS4zODloLTIuMjk4cS4wNDQgMS4xNDUgMS4wMzUgMS4xNDUuMzkgMCAuNjEtLjE4My4yMi0uMTg0LjI5NC0uNDg1em0tLjU3My0uOTU1cS4wMzctLjM2Ny0uMTc2LS42OS0uMjA2LS4zMjMtLjY4My0uMzIzLS40NTUgMC0uNjY4LjMwMS0uMjEzLjMwMS0uMjY0LjcxMnptNi4zMTQtLjk1NWgtLjM3NWwtLjk2MSAyLjg1aC0uMzk3bC0uOTk4LTIuNDk3aC0uMDM3bC0uOTc3IDIuNDk2SDM2LjNsLS45OTktMi44NDhoLS4zNnYtLjQxOWgxLjU0MnYuNDE5aC0uNjI0bC42ODMgMi4wNjNoLjAzN2wuOTY5LTIuNDgyaC4zNDVsMS4wMiAyLjQ4MmguMDM3bC42MDItMi4wNjNoLS41OTV2LS40MTloMS40Njl6bS42NjUtLjE2OHEuMjU3LS4xNjkuNTQzLS4yNDIuMjg3LS4wNzQuNjEtLjA3NCAxLjE2NyAwIDEuMTY3IDEuMDk0djEuNTU3cTAgLjM1Mi4yOC4zNTIuMTI0IDAgLjIyLS4wNDRsLjAwNy4zMzhxLS4xOTguMTEtLjQyNi4xMS0uNTggMC0uNTk1LS42NnYtLjAxNnEtLjE1NC4yNjUtLjQ0LjQ3LS4yOC4yMDYtLjY3Ni4yMDYtLjMyMyAwLS42Ni0uMTk4LS4zMy0uMTk5LS4zMy0uNzIgMC0uNjE3LjQ4NC0uODA3LjQ5Mi0uMTk5IDEuMDQyLS4xOTkuMTQ3IDAgLjI5NC4wMDguMTU0LjAwNy4yODYuMDIydi0uMjk0cTAtLjM1Mi0uMTU0LS41NzMtLjE0Ny0uMjItLjU4Ny0uMjItLjM2IDAtLjYzMi4xMzJsLS4xMjUuNTY1LS40MjUtLjA1em0xLjgwNiAxLjc5MXYtLjI1cS0uMTQtLjAwNy0uMjkzLS4wMjEtLjE1NS0uMDE1LS4zMTYtLjAxNS0uMzY3IDAtLjY2OC4xMTctLjI5NC4xMS0uMjk0LjQ5MiAwIC4zMTYuMTk4LjQzNC4xOTkuMTE3LjQxMS4xMTcuMzM4IDAgLjYzMi0uMjM1LjMtLjIzNS4zMy0uNjM5em00LjY2OS0xLjYyM2gtLjM4OWwtMS4xNTIgMi44NS0uNDQxIDEuMTQ1aC41NTh2LjQxOGgtMS42NnYtLjQxOGguNjFsLjQyNi0xLjE1My0xLjE5LTIuODQxaC0uMzg5di0uNDE5aDEuNTEzdi40MTloLS41NzNsLjkxOCAyLjE5NWguMDQ0bC44MTUtMi4xOTVoLS41Mjl2LS40MTloMS40NHoiIGFyaWEtbGFiZWw9IkdhdGV3YXkiIGZvbnQtd2VpZ2h0PSI0MDAiIGZvbnQtc2l6ZT0iNy4zNDIiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBsZXR0ZXItc3BhY2luZz0iMCIgd29yZC1zcGFjaW5nPSIwIiBmaWxsPSIjZmZmIi8+PGcgc3R5bGU9ImxpbmUtaGVpZ2h0OjAlIj48cGF0aCBzdHlsZT0ibGluZS1oZWlnaHQ6MS4yNTstaW5rc2NhcGUtZm9udC1zcGVjaWZpY2F0aW9uOidaaWxsYSBTbGFiIFNlbWktQm9sZCc7dGV4dC1hbGlnbjpzdGFydCIgZD0iTTI5LjA1MSAyLjc3N2gtLjUybC0xLjczNCA1LjQ0aC0uODA0bC0xLjU1OC00LjQ5aC0uMDQ5bC0xLjUxIDQuNDloLS44MTNsLTEuODQyLTUuNDRoLS41NXYtLjkzMWgyLjQyMnYuOTMxaC0uNzA2bDEuMDk4IDMuNjQ2aC4wNDlsMS4yNjQtMy42NDZoLS41NTl2LS45MzFoMi40MTF2LjkzMWgtLjUybDEuMjY1IDMuNjk1aC4wNWwuOTk5LTMuNjk1aC0uNzg0di0uOTMxaDIuMzkxem0zLjk3MSA0LjA5N3EtLjA2LjU3OC0uNTY5IDEuMDEtLjUxLjQzLTEuNDAxLjQzLS45NiAwLTEuNTc4LS41NTgtLjYxOC0uNTY5LS42MTgtMS42NjYgMC0xLjAxLjU1OS0xLjY4Ni41NjgtLjY3NiAxLjU3OC0uNjc2LjkxMSAwIDEuNDQuNTQ5LjU0LjUzOS41NSAxLjM3MiAwIC4yNzQtLjA2LjU4OGgtMi45N3EuMDkgMS4yMzUgMS4xNzcgMS4yMzUuNTEgMCAuNzI1LS4yNDUuMjI2LS4yNDUuMjk0LS41MnpNMzEuOTA0IDUuNTlxLjA0LS4zOTItLjE4Ni0uNzM1LS4yMTYtLjM1My0uNzM1LS4zNTMtLjQ3IDAtLjcxNS4zMTQtLjI0Ni4zMTMtLjMwNC43NzR6bTYuNDQ0LjMyM3EwIC45MzEtLjQ5IDEuNjY2LS40OS43MzUtMS41MDkuNzM1LTEuMDM5IDAtMS40Ni0uNzg0LS4wMi4xMTgtLjA1LjM0My0uMDI5LjIyNi0uMDQ4LjM0M2gtMS4wNHEuMDYtLjMyMy4xMDktLjY1Ni4wNDktLjM0My4wNDktLjY2N1YyLjI3N2gtLjY1N3YtLjgwM2gxLjY5NnYzLjIxNHEuMTk2LS4zOTIuNTQ4LS42NzYuMzYzLS4yODQuOTctLjI4NC44MzQgMCAxLjM1My41NzguNTMuNTY4LjUzIDEuNjA3em0tMS4wODcuMDg4cTAtLjY5NS0uMzE0LTEuMDU4LS4zMTQtLjM3Mi0uODA0LS4zNzItLjU1OCAwLS44NzIuNDExLS4zMTQuNDEyLS4zMjMuODkydi4zMTRxMCAuNTM5LjMxMy45MjEuMzI0LjM3Mi44NDMuMzcyLjU0OSAwIC44NTMtLjQwMS4zMDQtLjQwMi4zMDQtMS4wNzl6bTYuOTc4LTIuMDc3bC0uOTQxLjA3OC0uMTk2LTEuMjI1aC0xLjI0NXY0LjUwOGgxLjA2OHYuOTMxSDM5Ljc0di0uOTNoMS4wM3YtNC41MWgtMS4yNTVsLS4xOTYgMS4yMjUtLjkzMS0uMDc4LjE5Ni0yLjA3OGg1LjQ1OXptNS43MTEgNC4yOTJoLTIuMzYzdi0uODAzaC42NTdWNS42ODhxMC0uNjI3LS4yMzUtLjg4Mi0uMjM1LS4yNjUtLjYzNy0uMjY1LS40OCAwLS43NjUuMzE0LS4yODQuMzEzLS4zMDQuNzY0djEuNzk0aC42NDd2LjgwM2gtMi4zNTJ2LS44MDNoLjY1N1YyLjI3N2gtLjY1N3YtLjgwM2gxLjcwNVY0LjU0cS40NTEtLjgxMyAxLjQ2LS44MTMuNjM4IDAgMS4wNzkuMzgyLjQ1LjM4Mi40NSAxLjE5NnYyLjEwN2guNjU3em0xLjAyMS01LjMxMlYxLjc0OGgxLjA2OXYxLjE1NnptMS43NTUgNS4zMTJoLTIuMzUzdi0uODAzaC42NTdWNC42MjloLS42OTZ2LS44MTNoMS43MzV2My41OTdoLjY1N3ptNS44MzEgMGgtMi4zNTJ2LS44MDNoLjY0NlY1LjY4OHEwLS42MjctLjIyNS0uODgyLS4yMjUtLjI2NS0uNjI3LS4yNjUtLjUgMC0uNzk0LjMyNC0uMjg0LjMyMy0uMjk0Ljc5M3YxLjc1NWguNjU3di44MDNoLTIuMzYydi0uODAzaC42NTZWNC42MjloLS42ODZ2LS44MTNoMS43MzV2LjcxNXEuNDYtLjgwMyAxLjQ2LS44MDMuNjI3IDAgMS4wNzguMzgyLjQ1MS4zODIuNDUxIDEuMTk2djIuMTA3aC42NTd6bTUuNDU4LTMuNTg2aC0uNjM3djMuNDJxMCAxLjA0OS0uNTg4IDEuNjk1LS41NzguNjQ3LTEuNzM1LjY0Ny0uNjg2IDAtMS4yODQtLjI5NC0uNTk3LS4yOTQtLjg0Mi0xLjAxbC44MTMtLjQ0cS40MTIuOTAxIDEuMzMzLjkwMS41NDkgMCAuOTAyLS4zOTIuMzUyLS4zOTIuMzUyLTEuMTE3di0uNjU3cS0uMTg2LjM1My0uNTM5LjYwOC0uMzQzLjI0NS0uOTUuMjQ1LS43NzUgMC0xLjM0My0uNTM5LS41NTktLjU0OS0uNTU5LTEuNTg4IDAtLjk0LjUtMS42NTYuNTEtLjcyNSAxLjQ3LS43MjUgMSAwIDEuNDIxLjc3NHYtLjY4NmgxLjY4NnpNNjIuMzMgNi4xMnYtLjM1NHEwLS41NDktLjMxMy0uODcyLS4zMTQtLjMyMy0uNzg0LS4zMjMtLjU1IDAtLjg0My40MDEtLjI5NC4zOTItLjI5NCAxLjA2OSAwIC42OTYuMjk0IDEuMDI5LjI5NC4zMjMuNzQ1LjMyMy41NTggMCAuODcyLS4zOTIuMzIzLS4zOTIuMzIzLS44ODJ6bTUuOTU0Ljc4M3EwIC42ODYtLjU2OSAxLjA0OS0uNTU4LjM2Mi0xLjQzLjM2Mi0uNDcgMC0uOTUxLS4xMDctLjQ3LS4xMDgtLjg1My0uMzI0bC4xNTctMS4xMzcuODIzLjA3OS0uMDEuNTY4cS4xODcuMDc5LjM5My4xMDguMjE1LjAzLjM4Mi4wMy40MDIgMCAuNjk2LS4xMzguMzAzLS4xNDcuMzAzLS40MzEgMC0uMjc0LS4yNzQtLjM5Mi0uMjY1LS4xMTgtLjY2Ni0uMTc2LS40MDItLjA3LS44MDQtLjE3Ny0uNDAyLS4xMTgtLjY3Ni0uMzcyLS4yNjUtLjI2NS0uMjY1LS43ODQgMC0uNzY1LjU3OC0xLjA1LjU4OC0uMjgzIDEuMjM1LS4yODMuODUzIDAgMS42MDguNDAybC4xMDcgMS4wODctLjgyMy4wOTgtLjA4OC0uNjU2cS0uMzgyLS4xNDctLjc3NC0uMTQ3LS4zMDQgMC0uNTIuMTI3LS4yMDYuMTE4LS4yMDYuMzgyIDAgLjI3NS4yNjUuMzgzLjI2NS4xMDcuNjU3LjE3Ni4zOTIuMDU5Ljc4NC4xNzYuMzkyLjEwOC42NTYuMzczLjI2NS4yNTUuMjY1Ljc3NHoiIGFyaWEtbGFiZWw9IldlYlRoaW5ncyIgZm9udC13ZWlnaHQ9IjYwMCIgZm9udC1zaXplPSI5LjgwMSIgZm9udC1mYW1pbHk9IlppbGxhIFNsYWIiIGxldHRlci1zcGFjaW5nPSIwIiB3b3JkLXNwYWNpbmc9IjAiIGZpbGw9IiNmZmYiLz48L2c+PC9zdmc+ /> <form id=login-form class=user-form method=post> <input type=email id=email name=email data-l10n-id=user-settings-input-email autofocus> <input type=password id=password name=password data-l10n-id=user-settings-input-password> <div id=totp-prompt data-l10n-id=login-enter-totp class=hidden></div> <input type=hidden id=totp name=totp data-l10n-id=user-settings-input-totp minlength=6 maxlength=12 pattern=([0-9]{6}|[0-9a-f]{12})> <div id=error-submission class="error hidden"></div> <button id=login-button data-l10n-id=login-log-in type=submit></button> </form> <script type="text/javascript" src="[/bundle/642c626a1436a3a16ebd-login.js](https://fleatechoz.webthings.io/bundle/642c626a1436a3a16ebd-login.js)"></script></body> </html>  |
> - | - |

so if you got something else from your login page: https://fleatechoz.webthings.io/login/

then the injection really happen on your side!

#15

I get the same, but the injected code appears as such…

src="[/bundle/642c626a1436a3a16ebd-login.js](view-source:https://fleatechoz.webthings.io/bundle/642c626a1436a3a16ebd-login.js)"></script><style>[href^="https://www.reimageplus.com/"]

from onwards.

I suspect that you are correct in that injection is happening at my end.

#16

According to your description (specifically the { display: none !important } part), this looks like cosmetic filters an adblocker would inject (CSS rules to hide things it considers “bad”).

#17

Hi Denis.
I suspect that you are correct. What bothers me is “what adblocker” is doing this. In using Firefox, I have no adblocker installed, just the default security settings. I do use a VPN service but none of the settings should affect the browser. Still looking for an answer.

#18

Could also bu spyware or similare stuff

#19

Hi Martin.
I have thought of this and scanned using all the tools that are commonly known. Do you recommend any?

#20

Linux lol but without joke, i use malwarebyte back.in the time