03-04-2016 10:03 AM
I saw another injected ad modifying a web page using Safari on a Mac running OS X 10.10. My page had injected scripts from IP addresses of 220.127.116.11 and 18.104.22.168. A quick whois search shows these IP addresses (and the whole 22.214.171.124/13 range) as belonging to "ROAD-RUNNER-HOLDCO-LLC" and "Time Warner Cable Internet LLC (RRMA)".
The page was an unencrypted Craigslist page and there was an image and two scripts injected. If I didn't know better it would seem as though it was Craigslist itself that sent those scripts. Craigslist is not amused I'm sure.
Do you still claim not to inject ads?
Do you want screenshots?
03-23-2016 01:25 PM
02-22-2017 12:34 PM
I noticed the same behavior too on a legitimate TWCWiFi hotspot. I grabbed all the details I could like a packet capture, screenshots, and arp table, etc. and called the number that TWC-JeremiahS gave. The guy on the phone was helpful as he could be, took down the details and said one of the engineers would check into it.