今早上起来玩手机,发现 bbs.d.163.com 下面出现了一坨屎一样的:
尼玛啊,欺负到我头上了。
本来一开始我以为是运营商劫持,然后打开电脑,模拟成手机上的 User Agent 试了下 ,发现不能重现这个问题。
于是连 USB 从电脑上远程调试手机上的网页,发现注入的 js 是这个:
http://fi.854u.com/7m2101/tihuan.js
内容如下:
var config={gdUrl:"http://fi.854u.com/7m2101/banner/banner.html",pos:1,clickType:null,imgHeight:200,imgWidth:640};var $util={isAndroid:navigator.userAgent.indexOf("Android")>-1||navigator.userAgent.indexOf("Adr")>-1,isPc:!function(){var userAgentInfo=navigator.userAgent.toLowerCase();var Agents=["android","iphone","symbianos","windows phone","ipad","ipod"];var ispc=true;for(var v=0;v<Agents.length;v++){if(userAgentInfo.indexOf(Agents[v])>=0){ispc=false;break}}return ispc}()};if($util.isAndroid){if(!!config.oldScriptUrl){document.write("<script type="text/javascript" src="" +(config.oldScriptUrl.indexOf("?")="=-1?config.oldScriptUrl+"?change=1":config.oldScriptUrl+"&change=1")+"""></script>")}var ifrw=document.createElement("div");ifrw.style.position="fixed";ifrw.style.left=0;ifrw.style.bottom=0;ifrw.style.right=0;ifrw.style.zIndex=1000000;var bo=document.querySelector("body");var latecy=0,timer;if(!!bo){latecy=0}else{latecy=200}function insertDom(){clearTimeout(timer);timer=setTimeout(function(){bo=document.querySelector("body");if(!bo){insertDom();return}bo.appendChild(ifrw);var closei=document.createElement("i");closei.style.display="block";closei.style.position="absolute";closei.style.right="20px";closei.style.top="20px";closei.style.height="20px";closei.style.width="20px";closei.style.backgroundImage='url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAABGdBTUEAALGPC/xhBQAABWJJREFUaAXVWltLY1cYNTlNSkA7GGcKVZFOh3RidRqijVR9mcI82r4UaX+AiCg+CP4An0UQUcTLW5mHFh9aSmmhFBqmVILVTGm9zNSZthR9aBliHS1zyRhnrUz24WR7TrLPyUlSD+i+fd+319r3/e14alz4BgcHfZqmvZHJZC7D3MXT09Ogx+MJIPTTPOJPEX+EMIXkA6/X+8fJycnvS0tLaZaX8nmcKo+NjQWOj4+vQj8MYFcQ+mzaSoPUfejcqa2tvTs9Pf3Ipn5W3DaB/v5+fzAYfBfavQDwspNKZR00wBPk/ZhKpRIrKytP5fJCaWUCExMT3r29vSi6/zoM1hUyWkLZEYZhvLm5+Tbqy6jYUSIwOjr6Sjqd/gjGm1SMliqDRtr3+Xyfzc7OPixmqyiBoaGhJgD/GIbK1epWGI9A5NOFhYV9KwHma4UKBwYG3sb4JPhAIbkylXF+RTo7Ow82Njb+sarDkgCWxmsA/yEUvVbKFchn3W9Fo9FUMpn826w+UwIcNhBmy1cTvI4XQykUi8Xur6+vH+mZucgZgJywHPNYIl+ShauVJhZiIjYZQx4BLpVcbSBU6Qkr4zJL1xEbMRoL8xJc5yu1VBpBqMaJjRiN8joB7rC5TcpY/r+LEyOxCmD6OOfxAGNNaehgkr/X3t4e297eTs7Pz38njDkJh4eHb7S2tnZsbW39hDX/ewUbdbmjzC3KZnuABzPEexWUsyJtbW0x7JSBSCTSOz4+/oGqnixHXdrw+/0BNohcXiDdm8P8ggBPlXYOZjs7O0lhPBQKRZ2QoA51hR32pogXC4k1dxLW1/lwMSVjOYfN7u7ubZFnl4QMnrYcDMUsZo2XEey47wOM6aYmQMrh6urq3XA4fKGhoeE1ljFkmvmyrDFtBn5qaupLo4xKHJgv4JiR0PDvTShEVJRkGbsk3AKfw4FLoLavvYMPGc0yONW0KgmXwQt4/5EAb1dBkeMkLEaiTOB5137MIXQdoEs+LluR6OnpuWpcbThhnYx5q4ZlD5CA3Qu5qT0zEmKSU8Ft8OiBGi/WVH1bNkVlM5Ota1xihbrb4GmX2PWzkKjovIVedIMtN0YxgvKEFfJ2NzuhVygkdg4hRw4lM8MyeA4b43BymwSxcxKHAKakZZRkzMBzPphNbJUd26yB5Dz0QHYja0SB442MRq3AiwrLRQIEftO6uro0dMU1UZndsBh4Ya8cJHCU+EHr6Oig96sbf7YOcwSmCp6y/FwmQefwVxqcRhmQaEJ3XHxRjdp/u+CFVbdIAPzu8vLyL2IfuCMqUAlHRkZulHI8kDc72uLVUqVug0wWc5YA/fPoAbq4lT7eYYWg0x1WJmG0KWxbhcRKzCzPjvtEIvEMyynJXLZSMua3tLT4ccZ5dXNzc21mZuYbY5mdOIcTbPlg6xIv9fC8/amiDwK35ubm+DhSo3un6aqor68fRZ6SZ0KlojLJHB0cHMyKhxAxB2qYAcdRvEyVumaWGAV4GtUJMMGXETiOCvrjKVetj9iI0Vh/3tofj8dPu7u77+EFsR1Crrx/GSsrMX4E/9Enk5OTj4128giwYG1t7Qlc2X8hyot+Xg+xvBofJu0ztP5NuF4eyPWfIUAB+uHxqPAvFFtlhSqlP19cXLxnVrcpAQryRYQvI2DO02pVeoItj0n7BXbcX83AM8+SAAtJgi8j2LbpO6r0nOAj30285pu2PPHxK0iAAhxO8CxsgUQL/s68kFDG7Y+rDSes2ZiX6ypKgAqc2H19fT8fHh4+RLfy/lCu3uBD97eNjY1fy6uNDFyk9Z1YZBQLz+1PDWRi5/bHHjIRpunhRnAFw+t1hBX9uc1ze7qqvaLWDloAAAAASUVORK5CYII=")';closei.style.backgroundPosition="center center";closei.style.backgroundSize="100% 100%";closei.onclick=function(e){ifrw.parentNode.removeChild(ifrw);e.stopPropagation()};ifrw.appendChild(closei);var ifr=document.createElement("iframe");ifr.style.display="block";ifr.scrolling="no";ifr.width=ifrw.offsetWidth||screen.availWidth;ifr.height=ifr.width/config.imgWidth*config.imgHeight;ifr.frameBorder="none";ifr.src=config.gdUrl;ifrw.appendChild(ifr)},latecy)}insertDom()};
然后 Play 里面随便下了个 AVG,扫出来 6 个,一股脑全部卸载以后,再刷一下注入就消失了。。。不过比较尴尬的是忘了一个个卸载试是哪个 app 的问题了
第一次遇到这个,比较新奇,不知道还有谁遇到这个问题没有。。发出来跟大家分享下
1
flyz 2017-07-22 07:20:12 +08:00 via Android 1
推广的是 360 手机卫士
|
2
shierji OP @flyz 对 我发现怎么不能 append 了。
我查了下,这个 QQ 邮箱下面一大堆类似的域名啊: http://paopaomi.com/zh-cn/whois/history.html?wd=m9A7bdE4xlOZK_GYoFnXCQ&rt=24 |
3
isnowify 2017-07-22 07:53:43 +08:00 via Android
手机上安利一下 AVL PRO 这个杀软 只有杀毒功能 也可以分析应用查看应用行为 挺好用
|
4
allenhu 2017-07-22 08:16:39 +08:00 via Android
root 了吧?
|
5
icedx 2017-07-22 08:18:04 +08:00 via Android
楼主的问题描述的很模糊
如果是没 root 还能做出这样的劫持 那就是个大新闻 |
6
wzdbsss 2017-07-22 09:28:58 +08:00 via Android
root 了没有?
|
8
shierji OP |
9
icedx 2017-07-22 22:24:34 +08:00
我感觉你想多了
只是普通的运营商劫持而已 |
10
slwl123 2017-08-13 20:22:12 +08:00
我的手机 pc 都有这个问题 应该是运营商劫持吧
|