Have to say, do development for so many years, traffic hijacking this thing, mostly just: “heard of, have not seen, 25,000 li ~”. This is the first time I’ve ever been ripped off. You have to go through what you have to do.
You don’t believe it
Say our team (coordinate Tianjin) developed a small website. The matter falls short of the list and is omitted. For example, when we were testing this website App, our phone connected to our company’S wifi, and then poked and poked at our little website, lit it up, and came up with this:
Page url is: hit a golden eggs page https://display.intdmp.com… .
Strange, obviously is our own development of the web page, how can jump to the code does not exist outside the chain? My first reaction was that there was a problem with our own code or code dependencies, but after checking, no problem code was found.
Later, because the problem is not high recurrence rate, it was shelved.
Until recently, the problem was repeated again, but instead of jumping to the previous golden egg smashing page, it ended up jumping to:
NND, too crazy, yellow novels are out!
Similarly,
A quick Internet search revealed that we weren’t the only victims:
The wool was pulled by Tianjin Unicom
Irritating advertising! The operator’s pot, the miIT complaint, has been resolved
And a hot post on Zhihu:
Unicom broadband hijacking web pages, JS popover advertising, how to solve?
And related news:
China Unicom is accused of traffic hijacking perspective behind the black industrial chain
At the same time, this matter is nine times out of ten Tianjin Unicom made a ghost.
There are three reasons.
- Our scenes are all in the wifi environment connected to the broadband of Tianjin Unicom, and we have used a number of different routers in different areas of Tianjin. That is to say, as long as the use of Tianjin Unicom broadband, can basically reproduce this problem.
- Online search to the basic is tianjin user feedback, and consistent with our inference, is the operator’s pot.
- Mobile 4G network users or users in other regions have no feedback of this problem, and we have not been able to replicate this problem in other regions.
Crime scene investigation
That’s easy. Grab the bag! Get to the crime scene!
Eager to find the cause of the problem, we only used Charles proxy to capture packets. Now I think we should use more powerful Wireshark, which can pull down the underpants of traffic hijacking to see clearly! If the wireshark is used to capture packets, you can post the captured packets.
But Charles is also good enough to keep the scene alive and the problem at the surface!
Because of this unicom do very explicit, soon we will catch the success of the bag, a look at the following:
As you can see, when you visit our home page (test environment) (you can visit it yourself to see the correct return content), instead of returning the expected content, we return this HTML:
<html><! -- 60 --> <head><meta charset="utf-8"><meta name="viewport" The content = "initial - scale = 1.0, user - scalable = no, maximum - scale = 1, width = device - width" / > < / head > < script language = JScript > <! -- function killErrors(){return true; } window.onerror=killErrors; --></script><frameset rows="*,0"> <frame src="http://su.qichexin.com/s/tji2.html" noresize><frame src="" noresize></frameset> </html>Copy the code
The corresponding HTTP header is also clearly incorrect. It is falsified in order to erase evidence. There is no trace to track it.
As you can see, it took a series of jumps of various forms to finally bring out the little porn. I used to do overseas Internet advertising, so I am familiar with the jump process in packet capture. The reason why I have to go through many HTTP jumps is to confirm an effective conversion jump for a third party or network alliance to serve as a data reference for future advertisers to pay for display. Therefore, there must be a secret black production, no doubt, they randomly, accidentally hijacked traffic, and then these hijacked traffic at a certain price to sell, grab profits, and the formation of a small organized industrial chain.
Well, that might not be a big deal back home. What shocked me, however, was that it was possible to be shameless enough to guide pornography. It was true that the face and the hat were all in one color, and the bottom line was flying with the pants.
The captured packet file can be obtained from the CHLS file of baidu web disk
Hate no one province
Despite the evidence, the case is still frustrating. You make a pornographic literature, development shu shu is embarrassed to show the website that he does to his child, in case pop up pornographic literature, not awkward!
In addition, on the solution:
Technically, if you don’t use HTTPS, this hijacking is hard to avoid, because it is the entire HTTP layer (application layer) interception, the front page to bypass, need to change too much. So, just go to HTTPS. But two days ago we test feedback, NND on HTTPS after also hijacked, this… Is that possible? Scratching my head… HTTPS has asymmetric encryption blessing, specially used to prevent middleman tampering, Unicom this TM can also bypass? Since the scene was not preserved, it is not clear how, let’s call it a blind eye (or the HTTP traffic embedded in HTTPS). Anyway, ** on HTTPS! On the HTTPS! On the HTTPS! Say the most important things three times.
On the legal principle, in fact, also afraid of unfair Tianjin Unicom (even tianjin Unicom, such as zhihu said, must be internal people at work, Unicom does not need to earn this black money), people sent the public security bureau to catch how to do; Secondly, the complaint rights protection can, but can see the result is very difficult.
Not alone
Encounter this pit, believe that they are not a person in the fight. So here also hope you technology experts to help, one is to ask for advice, if not using HTTPS technology, there is no relatively simple and feasible means to solve, to avoid being hijacked, or to talk about the principle of this traffic hijacking technology; Two is can help forward, expose this matter. This article does not have any irrelevant promotion content.