从昨天开始,我们这整块宿舍区都遭遇了网页劫持,浏览网页被强制重定向到某IP,再通过iframe方式浏览用户的目标网页。排除了DNS劫持因素(我用的是opendns服务),剩下的解释只有…有人直接从数据流做手脚了。
该IP来自南昌本市,这是whois信息:
Genbox ~ # whois 59.55.140.243 % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 59.52.0.0 - 59.55.255.255 netname: CHINANET-JX descr: CHINANET Jiangxi province network descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN admin-c: CH93-AP tech-c: JN113-AP remarks: service provider status: ALLOCATED PORTABLE mnt-by: APNIC-HM mnt-lower: MAINT-IP-WWF changed: hm-changed@apnic.net 20050208 source: APNIC role: JXDCB NET address: DATA COMMUNICATION BUREAY address: NO.39,YANJIANG NORTH ROAD,NANCHANG,JIANGXI country: CN phone: +86 791 6730586 fax-no: +86 791 6707755 e-mail: hostmaster@public1.nc.jx.cn trouble: send spam reports to hostmaster@public1.nc.jx.cn trouble: and abuse reports to hostmaster@public1.nc.jx.cn admin-c: XY1-AP tech-c: WZ1-CN tech-c: WW49-AP nic-hdl: JN113-AP remarks: http://www.online.jx.cn notify: hostmaster@public1.nc.jx.cn mnt-by: MAINT-IP-WWF changed: hm-changed@apnic.net 20020812 source: APNIC person: Chinanet Hostmaster nic-hdl: CH93-AP e-mail: anti-spam@ns.chinanet.cn.net address: No.31 ,jingrong street,beijing address: 100032 phone: +86-10-58501724 fax-no: +86-10-58501724 country: CN changed: dingsy@cndata.com 20070416 mnt-by: MAINT-CHINANET source: APNIC
电话10000号,要嘛问我是不是中木马了,要嘛说升级下浏览器…我像那种白痴用户吗? 也只有我这么警觉发现了这个问题。我能想到的解释是…要嘛电信内部做了手脚,要嘛电信被黑了。
没有别的办法,只能暂时先通过iptables来封掉这两个IP了:
iptables -A INPUT -s 59.55.140.243 -j REJECT iptables -A INPUT -s 59.55.140.239 -j REJECT iptables -A OUTPUT -d 59.55.140.243 -j REJECT iptables -A OUTPUT -d 59.55.140.239 -j REJECT
电信啊,电信啊…有哪个是黑客高手的,来帮忙把那ip所在主机给黑了,换成我的google ad,收入咱平分!
你已经很幸福了,我连电脑都坏了。
ms 偶这里的劫持的, 服务器用 nginx 跑静态页面… 不会黑 :D