[福州电信] 又一例电信运营商劫持案例

最近刚从联通切换为电信，就发现自己被劫持了！

测试站点：1 号店、Godaddy

以下是测试全程记录，使用各种浏览器（ Chrome、Firefox、360 ）、各种平台（ Windows、MAC、Android、Linux ）和模拟 HTTP 请求方式测试，均会较高概率地出现。

== 1 号店 ==

HTTP/1.1 200 OK
Cache-control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Expires: 0
Connection: close
Content-Type: text/html;charset=UTF-8
Set-Cookie: BAIDUID=qq1234; expires=Mon, 24 Jul 2017 05:27:22 GMT; domain=.yhd.com; path=/
Content-Length: 3108
Server: 4ebdfc71391588be740e70a857447eea##300000196##8BDB4F0FB4082CC229CB35414274E1A276019507261825A4378835F87CDD57B1C3C4204FAC1FD51317662096482F01B0B47AF4111E0C561870AC79CF4288CC4B8F8035EEB0E3D16D
Date: Mon, 24 Jul 2017 05:25:22 GMT

<!DOCTYPE HTML><html><head><title></title><style type="text/css">*{margin:0;padding:0;border:0}body{margin:0;color:#000;overflow:hidden;padding:0;width:100%;height:100%;font-family:Arial}a{cursor:pointer;display:block;position:absolute;border:0px;border-radius:16px;background-color:#444;color:#fff;opacity:.8;z-index:3;right:5px;top:5px;height:16px;overflow:hidden;text-align:center;width:16px;font-size:16px;line-height:14px}#x{position:fixed;z-index:2;bottom:0px;right:0px;background-color:#FFF}#m{display:block;position:absolute;top:0;z-index:1;height:100%}#e0{ display: block; position: absolute; right:0; bottom:0; z-index:100; width:30px; height:16px; line-height:16px; font-size:8px; background-color: rgba(0,0,0,0.2); color:#fff; text-align:center;}</style></head><body onLoad="da()"><script>var m = "http://www.yhd.com/?cp=0&cityId=150&forceId=14";var a = "http://47.89.59.182:7788/info.html?sn=0&type=html&mobile=0&sp=6012";var w = window;var n = navigator;var d = document;function da() {var md, dah, daw;var ua = n.userAgent.toLowerCase();var isipad = ua.match(/ipad/i) == "ipad";var isiphone = ua.match(/iphone os/i) == "iphone os";var ismidp = ua.match(/midp/i) == "midp";var isuc7 = ua.match(/rv:1.2.3.4/i) == "rv:1.2.3.4";var isuc = ua.match(/ucweb/i) == "ucweb";var isandroid = ua.match(/android/i) == "android";var isce = ua.match(/windows ce/i) == "windows ce";var iswm = ua.match(/windows\s*mobile/i) == "windows mobile";if (isandroid || isiphone || isipad || iswm) {var meta = d.createElement("meta");meta.name =

注意源文中的：http://47.89.59.182:7788/info.html

== Godaddy ==

测试网址： http://www.goaddy.com/

HTTP/1.1 200 OK
Cache-control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Expires: 0
Connection: close
Content-Type: text/html;charset=UTF-8
Set-Cookie: BAIDUID=qq1234; expires=Mon, 24 Jul 2017 05:16:44 GMT; domain=.godaddy.com; path=/
Content-Length: 3071
Server: 78983c49543bf05f6caa7164ee344cd7##300000153##4DB71E232F2CF68308A17F41598333805CA9044C68742B72160D8708B4C230F1D96AF6D22C9B398A499656813CC7054A8116105BB2D27381
Date: Mon, 24 Jul 2017 05:14:44 GMT

<!DOCTYPE HTML><html><head><title></title><style type="text/css">*{margin:0;padding:0;border:0}body{margin:0;color:#000;overflow:hidden;padding:0;width:100%;height:100%;font-family:Arial}a{cursor:pointer;display:block;position:absolute;border:0px;border-radius:16px;background-color:#444;color:#fff;opacity:.8;z-index:3;right:5px;top:5px;height:16px;overflow:hidden;text-align:center;width:16px;font-size:16px;line-height:14px}#x{position:fixed;z-index:2;bottom:0px;right:0px;background-color:#FFF}#m{display:block;position:absolute;top:0;z-index:1;height:100%}#e0{ display: block; position: absolute; right:0; bottom:0; z-index:100; width:30px; height:16px; line-height:16px; font-size:8px; background-color: rgba(0,0,0,0.2); color:#fff; text-align:center;}</style></head><body onLoad="da()"><script>var m = "http://www.godaddy.com/";var a = "http://221.231.6.79:8888/fyyxadmi/Ad/ad_fjnewjm.html";var w = window;var n = navigator;var d = document;function da() {var md, dah, daw;var ua = n.userAgent.toLowerCase();var isipad = ua.match(/ipad/i) == "ipad";var isiphone = ua.match(/iphone os/i) == "iphone os";var ismidp = ua.match(/midp/i) == "midp";var isuc7 = ua.match(/rv:1.2.3.4/i) == "rv:1.2.3.4";var isuc = ua.match(/ucweb/i) == "ucweb";var isandroid = ua.match(/android/i) == "android";var isce = ua.match(/windows ce/i) == "windows ce";var iswm = ua.match(/windows\s*mobile/i) == "windows mobile";if (isandroid || isiphone || isipad || iswm) {var meta = d.createElement("meta");meta.name = "viewport";meta.content = "width=device-width, initial-scale=1.0

注意源文中的：http://221.231.6.79:8888/fyyxadmi/Ad/ad_fjnewjm.html

[注] 正常访问 http://www.godaddy.com/ ，应该是跳转到 https://www.godaddy.com/ 的。

所以即使全站 HTTPS 了，也挡不住他们的流氓行为啊！

hilyjiang

2017-07-24 13:33:54 +08:00

附上 Golang 测试代码（ godaddy 测试）：
```
package main

import (
"fmt"
"net"
"strings"
)

func main() {
rawData := `GET / HTTP/1.1
Host: www.godaddy.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8

`

conn, err := net.Dial("tcp", "www.godaddy.com:80")
if err != nil {
fmt.Println(err.Error())
return
}

rawData = strings.Replace(rawData, "\n", "\r\n", -1)
if _, err := conn.Write([]byte(rawData)); err != nil {
fmt.Println(err.Error())
return
}

buf := make([]byte, 2048, 2048)
if _, err := conn.Read(buf); err != nil {
fmt.Println(err.Error())
return
}

fmt.Println(string(buf))
}
```

有趣的事情是，你把：
conn, err := net.Dial("tcp", "www.godaddy.com:80")
改成：
conn, err := net.Dial("tcp", "www.baidu.com:80")
或是：
conn, err := net.Dial("tcp", "jd.com:80")
劫持的结果是一样的。

这说明他们是根据 Host 劫持的，而且是在接入层做劫持。