腾讯云都被劫持哈哈

2017-05-10 13:21:16 +08:00
 holinhot
从腾讯云访问一些国网站直接被 302 跳转走了。

是不是有人在国际出口上做劫持了。

HTTP/1.1 302 Found
Connection: close
Location: http://1877766.com

这都什么鬼啊。还让不让玩了
1486 次点击
所在节点    问与答
6 条回复
holinhot
2017-05-10 13:33:59 +08:00
有时候直接返回把页面给替换了
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:30:54.521515 IP 10.104.2.206.50286 > 123.com.http: Flags [S], seq 2784800392, win 14600, options [mss 1460,sackOK,TS val 2687025802 ecr 0,nop,wscale 6], length 0
13:30:54.683270 IP 123.com.http > 10.104.2.206.50286: Flags [S.], seq 925016812, ack 2784800393, win 29200, options [mss 1424,nop,nop,sackOK,nop,wscale 10], length 0
13:30:54.683304 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 1, win 229, length 0
13:30:54.683429 IP 10.104.2.206.50286 > 123.com.http: Flags [P.], seq 1:172, ack 1, win 229, length 171
13:30:54.687666 IP 123.com.http > 10.104.2.206.50286: Flags [FP.], seq 1:803, ack 172, win 229, length 802
13:30:54.687711 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, length 0
13:30:54.687899 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:54.701469 IP 123.com.http > 10.104.2.206.50286: Flags [FP.], seq 1:72, ack 172, win 8192, length 71
13:30:54.701496 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:73}], length 0
13:30:54.845049 IP 123.com.http > 10.104.2.206.50286: Flags [.], ack 172, win 30, length 0
13:30:54.845074 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, length 0
13:30:54.857590 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:54.857624 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:55.162711 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:55.301387 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:55.301430 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:55.789782 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:55.789819 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:56.112720 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:56.769886 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:56.769924 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:58.012724 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:58.730561 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:58.730590 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
^C
24 packets captured
24 packets received by filter




HTTP/1.1 200 OK
Server: nginx
Cache-Control: no-cache
Date: Wed, 10-May-2017 05:30:53 GMT
Set-Cookie: group_b2eecf4f9a15c836=1; expires=Thu, 11-May-2017 13:30:53 CST; path=/; domain=123.com
Content-Length: 583

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="0">
<title></title>
<script type="text/javascript">
window.location.href='http://99zz111.com/?kjh=3ZJCimzp';
</script>
<noscript>
<meta http-equiv="refresh" content="0;url=http://99zz111.com/?kjh=3ZJCimzp">
</noscript>
</head>
<body></body>
miyuki
2017-05-10 14:33:29 +08:00
什么网站发来看看
ELIOTT
2017-05-10 14:46:49 +08:00
有沒有可能服務器被黑了?
KCheshireCat
2017-05-10 15:42:58 +08:00
Flags [FP.]
tcp 包标记 fin,push.ack,非常有可能是 tcp 劫持.
可以抓一下看看 ttl,是不是和上下文的其他包 ttl 值不同
holinhot
2017-05-13 17:34:22 +08:00
@ELIOTT 你就瞎掰吧
holinhot
2017-05-13 17:44:53 +08:00
@miyuki 买马网站

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/360352

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX