v 友帮忙分析下这次 https 劫持

这是在 k8s 的某个 pod 里面执行的 curl 命令，然后被劫持到了 http://144.dragonparking.com

而且是偶发的，有段时间会劫持有段时间就正常

宿主机上执行 curl 没出现过劫持

这个是怎么实现的

以下是劫持返回的 html

<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>tencentcloudapi.com</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <script type='text/javascript' language='JavaScript'> var domain = 'tencentcloudapi.com'; var uniqueTrackingID = 'MTY4NTU3OTcwNi4xODgzOmZlODk3NWU3ODcyMjg1MDg2YWNlZGU1NTM5YWZlMTBmNDFmMWQyYzIzZTQ5MGY0OTA2MDE1ZTViN2I3ZDEwYTU6NjQ3N2U3YmEyZGZiOA=='; var clickTracking = false; var themedata = ''; var xkw = ''; var xsearch = ''; var xpcat = ''; var bucket = ''; var clientID = ''; var clientIDs = ''; var num_ads = 0; var adtest = 'off'; var scriptPath = ''; </script> <script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>

    </head>
    <body>
    <script type="text/javascript">var ls = function(xhr, path, token) {
xhr.onreadystatechange = function () {
    if (xhr.readyState === XMLHttpRequest.DONE) {
        if (xhr.status >= 200 && xhr.status <= 400) {
            if (xhr.responseText.trim() === '') {
                return;
            }

            console.log(JSON.parse(xhr.responseText))
        } else {
            console.log('There was a problem with the request.');
        }
    }
}

xhr.open('GET', path + '/ls.p' + 'hp?t=6477e7ba&token=' + encodeURI(token), true);
xhr.send();

}; ls(new XMLHttpRequest(), scriptPath, '098d33e1ee92577488c3f7c512742c23d15f6952');</script> <script type='text/javascript' language='JavaScript'> window.onload = function() { if(clickTracking && typeof track_onclick == 'function') track_onclick("8738cf3b6b543a07139579dbbd0fc3fa531854b6"); top.location.href = "http://144.dragonparking.com/?site=tencentcloudapi.com&t=1685579706&s=26356433e9449717b0e51e87ffb4349a&fs=http%3A%2F%2Fc.parkingcrew.net%2F%3Fdomain_name%3Dtencentcloudapi.com"; }; </script> </body>

</html>