Why so many web pages contain such a strange code snippet in header?

Question

I've noticed for quite a long time that strange domains such like jsev.com, cssxx.com appered in my firefox status bar from time to time, I always wonder why so many web pages contains resources from these strange domains. I googled it, but found nothing. I guess it's some kind of virus which infect the servers and insert the code. Here is a sample taken from page header of http://www.eflorenzano.com/threadexample/blog/:

<script language="javascript" src="http://i.jsev.com./base.2032621946.js"&gt; </script>
<body onmousemove="return fz3824();">
<LINK REL="stylesheet" TYPE="text/css" HREF="http://i.cssxx.com./base2032621947.css"&gt;
<A HREF = "http://i.html.com./base2032621947.html"&gt;&lt;/A&gt;
<SCRIPT LANGUAGE="JAVASCRIPT" SRC="http://i.js.com./base2032621947.js"&gt;&lt;/SCRIPT&gt;
<SCRIPT LANGUAGE="JAVASCRIPT">
function getuseragnt()
{ var agt = navigator.userAgent.toLowerCase();
  agt = agt.replace(/ /g, "");
  return agt;
}
document.write("<LINK REL='stylesheet' TYPE='text/css' HREF='http://i.css2js.com./base.css" + getuseragnt() + "_2032621947'>") 
</SCRIPT>

edit: I am on a debian box, only on firefox I see this code, I just tried opera, this code doesn't appear in opera, really strange, never heard of firefox having such problems.

Answer 1

It may be a browser worm installed on your machine. Should scan entire system.

Answer 2

I see nothing unusual about that page. Check your system. Here's the code I received:

<head><title>Tutorial 2</title>
<link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/2.4.1/build/reset/reset-min.css"&gt;
<link rel="stylesheet" type="text/css" href="http://media.eflorenzano.com/css/example2.css"&gt;
<script type="text/javascript" src="http://media.eflorenzano.com/js/jquery-1.2.2.min.js"&gt;&lt;/script&gt;
<script type="text/javascript" src="http://media.eflorenzano.com/js/jquery.form.js"&gt;&lt;/script&gt;

<script type="text/javascript">
    var _POSTER = '';
    var _FORM = '<textarea id="id_comment" rows="10" cols="40" name="comment"></textarea>';
    var _FORM_URL = '/threadexample/threadedcomments/comment/9/1/json/';
    var _REGISTER_URL = '/threadexample/register';
    var _CHECK_EXISTS_URL = '/threadexample/check_exists';
    var _LOGIN_URL = '/threadexample/login';
    var _IS_FOCUSED = null;
    var _ARROW_IMG_BASE = 'http://media.eflorenzano.com/img/arrow_';
    var _VOTE_BASE = '/threadexample/vote/';
</script>

<script type="text/javascript" src="http://media.eflorenzano.com/js/example2.js"&gt;&lt;/script&gt;
</head>

Answer 3

That could very well be the case, as this does kinda look like some shady code. What if you use a different computer, does the source look the same?

Answer 4

Hm ... No solution here, but as a datapoint: It doesn't look at all like that for me (Firefox 3.0.3, in Gentoo Linux). I get the following interesting elements in the header:

<link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/2.4.1/build/reset/reset-min.css">
<link rel="stylesheet" type="text/css" href="http://media.eflorenzano.com/css/example2.css">
<script type="text/javascript" src="http://media.eflorenzano.com/js/jquery-1.2.2.min.js">
<script type="text/javascript" src="http://media.eflorenzano.com/js/jquery.form.js">
[...]
<script type="text/javascript" src="http://media.eflorenzano.com/js/example2.js">

This looks fairly clean to me; four references to resources on the same server, plus one CSS from what looks like Yahoo!. Strange, I wonder why it looked so different for you. Hopefully some true web wizard can shed some light on that.

Also, I notice that all the weird-looking URI:s have domain names that end in a period, which I don't think is even legal. I Googled it, and found some old Digg thread, but was unable to locate the exact comment that mentioned the weird-looking URI:s. Strange.

Answer 5

DNS poisoning?

Answer 6

This happens if you are using one of Princeton university's CoDeeN project proxy servers. CoDeeN is an academic testbed content distribution network. When you browse a web page using CoDeeN proxy it injects some HTML code to the site's original HTML and redirects requests sent to pseudo adresses to the project's servers. Some of the pseudo addresses are: http://i.cssxx.com./base0877861956.css | i.cssxx.com. http://i.jsev.com./base.0877861955.js | i.jsev.com./ http://i.html.com./base0877861956.html | i.html.com. http://i.js.com./base0877861956.js | i.js.com./ http://i.css2js.com./base.css | i.css2js.com.

Some or all CoDeeN's proxy servers appear as anonymous proxy servers list. CoDeeN project page: http://codeen.cs.princeton.edu/

Answer 7

I agree with Mediashakers

That cause you're using CoDeeN project proxy servers

Try use no proxy, it will see the difference