腾讯云都被劫持哈哈

有时候直接返回把页面给替换了
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:30:54.521515 IP 10.104.2.206.50286 > 123.com.http: Flags [S], seq 2784800392, win 14600, options [mss 1460,sackOK,TS val 2687025802 ecr 0,nop,wscale 6], length 0
13:30:54.683270 IP 123.com.http > 10.104.2.206.50286: Flags [S.], seq 925016812, ack 2784800393, win 29200, options [mss 1424,nop,nop,sackOK,nop,wscale 10], length 0
13:30:54.683304 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 1, win 229, length 0
13:30:54.683429 IP 10.104.2.206.50286 > 123.com.http: Flags [P.], seq 1:172, ack 1, win 229, length 171
13:30:54.687666 IP 123.com.http > 10.104.2.206.50286: Flags [FP.], seq 1:803, ack 172, win 229, length 802
13:30:54.687711 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, length 0
13:30:54.687899 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:54.701469 IP 123.com.http > 10.104.2.206.50286: Flags [FP.], seq 1:72, ack 172, win 8192, length 71
13:30:54.701496 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:73}], length 0
13:30:54.845049 IP 123.com.http > 10.104.2.206.50286: Flags [.], ack 172, win 30, length 0
13:30:54.845074 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, length 0
13:30:54.857590 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:54.857624 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:55.162711 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:55.301387 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:55.301430 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:55.789782 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:55.789819 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:56.112720 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:56.769886 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:56.769924 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
13:30:58.012724 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
13:30:58.730561 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
13:30:58.730590 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
^C
24 packets captured
24 packets received by filter




HTTP/1.1 200 OK
Server: nginx
Cache-Control: no-cache
Date: Wed, 10-May-2017 05:30:53 GMT
Set-Cookie: group_b2eecf4f9a15c836=1; expires=Thu, 11-May-2017 13:30:53 CST; path=/; domain=123.com
Content-Length: 583

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="0">
<title></title>
<script type="text/javascript">
window.location.href='http://99zz111.com/?kjh=3ZJCimzp';
</script>
<noscript>
<meta http-equiv="refresh" content="0;url=http://99zz111.com/?kjh=3ZJCimzp">
</noscript>
</head>
<body></body>

什么网站发来看看

有沒有可能服務器被黑了？

Flags [FP.]
tcp 包标记 fin,push.ack,非常有可能是 tcp 劫持.
可以抓一下看看 ttl,是不是和上下文的其他包 ttl 值不同

@ELIOTT 你就瞎掰吧

@miyuki 买马网站