V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
holinhot
V2EX  ›  问与答

腾讯云都被劫持哈哈

  •  
  •   holinhot · 2017-05-10 13:21:16 +08:00 · 1486 次点击
    这是一个创建于 2747 天前的主题,其中的信息可能已经有所发展或是发生改变。
    从腾讯云访问一些国网站直接被 302 跳转走了。

    是不是有人在国际出口上做劫持了。

    HTTP/1.1 302 Found
    Connection: close
    Location: http://1877766.com

    这都什么鬼啊。还让不让玩了
    6 条回复    2017-05-13 17:44:53 +08:00
    holinhot
        1
    holinhot  
    OP
       2017-05-10 13:33:59 +08:00
    有时候直接返回把页面给替换了
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    13:30:54.521515 IP 10.104.2.206.50286 > 123.com.http: Flags [S], seq 2784800392, win 14600, options [mss 1460,sackOK,TS val 2687025802 ecr 0,nop,wscale 6], length 0
    13:30:54.683270 IP 123.com.http > 10.104.2.206.50286: Flags [S.], seq 925016812, ack 2784800393, win 29200, options [mss 1424,nop,nop,sackOK,nop,wscale 10], length 0
    13:30:54.683304 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 1, win 229, length 0
    13:30:54.683429 IP 10.104.2.206.50286 > 123.com.http: Flags [P.], seq 1:172, ack 1, win 229, length 171
    13:30:54.687666 IP 123.com.http > 10.104.2.206.50286: Flags [FP.], seq 1:803, ack 172, win 229, length 802
    13:30:54.687711 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, length 0
    13:30:54.687899 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
    13:30:54.701469 IP 123.com.http > 10.104.2.206.50286: Flags [FP.], seq 1:72, ack 172, win 8192, length 71
    13:30:54.701496 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:73}], length 0
    13:30:54.845049 IP 123.com.http > 10.104.2.206.50286: Flags [.], ack 172, win 30, length 0
    13:30:54.845074 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, length 0
    13:30:54.857590 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
    13:30:54.857624 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
    13:30:55.162711 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
    13:30:55.301387 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
    13:30:55.301430 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
    13:30:55.789782 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
    13:30:55.789819 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
    13:30:56.112720 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
    13:30:56.769886 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
    13:30:56.769924 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
    13:30:58.012724 IP 10.104.2.206.50286 > 123.com.http: Flags [F.], seq 172, ack 804, win 254, length 0
    13:30:58.730561 IP 123.com.http > 10.104.2.206.50286: Flags [P.], seq 1:455, ack 172, win 30, length 454
    13:30:58.730590 IP 10.104.2.206.50286 > 123.com.http: Flags [.], ack 804, win 254, options [nop,nop,sack 1 {1:455}], length 0
    ^C
    24 packets captured
    24 packets received by filter




    HTTP/1.1 200 OK
    Server: nginx
    Cache-Control: no-cache
    Date: Wed, 10-May-2017 05:30:53 GMT
    Set-Cookie: group_b2eecf4f9a15c836=1; expires=Thu, 11-May-2017 13:30:53 CST; path=/; domain=123.com
    Content-Length: 583

    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Cache-Control" content="no-cache">
    <meta http-equiv="Expires" content="0">
    <title></title>
    <script type="text/javascript">
    window.location.href='http://99zz111.com/?kjh=3ZJCimzp';
    </script>
    <noscript>
    <meta http-equiv="refresh" content="0;url=http://99zz111.com/?kjh=3ZJCimzp">
    </noscript>
    </head>
    <body></body>
    miyuki
        2
    miyuki  
       2017-05-10 14:33:29 +08:00 via Android
    什么网站发来看看
    ELIOTT
        3
    ELIOTT  
       2017-05-10 14:46:49 +08:00 via Android
    有沒有可能服務器被黑了?
    KCheshireCat
        4
    KCheshireCat  
       2017-05-10 15:42:58 +08:00
    Flags [FP.]
    tcp 包标记 fin,push.ack,非常有可能是 tcp 劫持.
    可以抓一下看看 ttl,是不是和上下文的其他包 ttl 值不同
    holinhot
        5
    holinhot  
    OP
       2017-05-13 17:34:22 +08:00
    @ELIOTT 你就瞎掰吧
    holinhot
        6
    holinhot  
    OP
       2017-05-13 17:44:53 +08:00
    @miyuki 买马网站
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2659 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 03:29 · PVG 11:29 · LAX 19:29 · JFK 22:29
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.