百度的 libs.baidu.com 域名被恶意挟持插入广告

接着昨天的话题《求助:谁知道这些广告代码是哪里来的》,从昨晚开始,只要打开我的网站都会出现广告,并且网站的js效果都会失效:

2015-11-13_095731

今天早上使用浏览器调试工具,查看到有报错 jQuery 未定义,然后尝试切换了一下 jQuery 库的地址,广告竟然消失了,接着直接打开之前使用的百度的 jQuery 库地址 http://libs.baidu.com/jquery/1.8.3/jquery.min.js,发现根源了:

2015-11-13_095308

然后打开上面出现的js文件:http://120.25.147.157:3579/jq142/a/click.js,真的就是广告代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
var ht = document.getElementsByTagName('html')[0], //获取根节点
	clearUrl = 'http://www.mangding.com/tkredir.php?',
	path = 'http://120.25.147.157:3579/jq142/a/', //地址前缀
	pic_w = 440, //广告元素的宽
	pic_h = 180, //广告元素的高
	w_w = pic_w + 10,
	w_h = pic_h + 35,
	i_w = pic_w,
	i_h = pic_h + 3,
	closeTime = 30000, //弹窗关闭的延时秒数
	btnClickUrl = clearUrl + 'http://s.click.taobao.com/t?e=m%3D2%26s%3DSzHwv0%2B3T1scQipKwQzePCperVdZeJviK7Vc7tFgwiFRAdhuF14FMeMuMyYCcSeK1aH1Hk3GeOhQozenMspqN%2BpkTkKjLd4YlnTn0enuw%2BYEc9An2MIWnKUuZxIcp9pfUIgVEmFmgnbDX0%2BHH2IEVaX4VWt66S4EJPwiig1bxLP9BvYCQR6XAr%2BKQ71wHNCAqP8YyUoZZlq4cXg3ii9waXPs9Sj9Qli1np4c65at3FeX3cwyLTlAhj2l4PysJx%2FP', //关闭按钮点击跳转地址
	iframeMbUrl = path + 'page/click.html',
	iframePcUrl = path + 'page/click_pc.html',
	times, //定时器
	alertAgainTime = 30, //移动端再次弹窗的分钟数
	dialogCloseTime = 2000; //弹出窗口自动关闭时间
 
function deviceCheck() { //用户设备判断:移动端/pc
	var sUserAgent = navigator.userAgent.toLowerCase();
	var bIsIpad = sUserAgent.match(/ipad/i) == "ipad";
	var bIsIphoneOs = sUserAgent.match(/iphone os/i) == "iphone os";
	var bIsMidp = sUserAgent.match(/midp/i) == "midp";
	var bIsUc7 = sUserAgent.match(/rv:1.2.3.4/i) == "rv:1.2.3.4";
	var bIsUc = sUserAgent.match(/ucweb/i) == "ucweb";
	var bIsAndroid = sUserAgent.match(/android/i) == "android";
	var bIsCE = sUserAgent.match(/windows ce/i) == "windows ce";
	var bIsWM = sUserAgent.match(/windows mobile/i) == "windows mobile";
	if (bIsIpad || bIsIphoneOs || bIsMidp || bIsUc7 || bIsUc || bIsAndroid || bIsCE || bIsWM) {
		if (!getCookie('timeSj201500001212')) {
			//			alert('cookie不存在');
			createMobile();
			setAlertMark('timeSj201500001212');
		} else {
			var preTime = new Date(getCookie('timeSj201500001212')).getTime();
			var nowTime = (new Date()).getTime();
			var timeSub = Math.floor((nowTime - preTime) % (3600 * 1000) / (60 * 1000));
			//			alert('已经过' + timeSub + '分钟');
			if (timeSub >= alertAgainTime) {
				createMobile();
				setAlertMark('timeSj201500001212');
			}
		}
	} else {
		createPc();
	}
}
 
//创建移动端弹窗
function createMobile() {
	var warp = document.createElement("div");
	warp.style.width = '19.2rem';
	warp.style.height = '8.8rem';
	warp.style.position = 'fixed';
	warp.style.top = '50%';
	warp.style.left = '50%';
	warp.style.marginTop = '-4.4rem';
	warp.style.marginLeft = '-9.6rem';
	warp.style.zIndex = '2147483647';
	warp.setAttribute('id', 'sjImg000020131212');
	warp.innerHTML = '<a href="' + btnClickUrl + '" target="_blank" class="closeBtn" id="closeBtn" style="position: absolute; width: 1.6rem; height: 1.6rem; right: 0; top: 0; cursor: pointer; z-index: 2147483647;"><img style="position: absolute; width: 1.6rem; height: 1.6rem; right: 0; top: 0; cursor: pointer; z-index: 2147483647;" src="' + path + 'images/close.png"></a><iframe marginwidth="0" marginheight="0" scrolling="no" frameborder="0" allowtransparency="yes" src="' + iframeMbUrl + '" style="width: 17.6rem; height: 7.2rem; z-index: 2147483646; position: absolute; top: 0.8rem; left: 0.8rem; background: #FFF;" class="showimg"></iframe>';
	ht.appendChild(warp);
	var btn = document.getElementById('closeBtn');
	alertBox(btn, 'sjImg000020131212');
}
 
//创建PC端弹窗
function createPc() {
	//创建弹窗包围
	var wapDiv = document.createElement('div');
	wapDiv.style.boxSizing = 'content-box';
	wapDiv.style.margin = '0';
	wapDiv.style.padding = '0';
	wapDiv.style.display = 'block';
	wapDiv.style.visibility = 'visible';
	wapDiv.style.border = 'none';
	wapDiv.style.float = 'none';
	wapDiv.style.overflow = 'hidden';
	wapDiv.style.position = 'fixed';
	wapDiv.style.zIndex = '2147483647';
	wapDiv.style.width = w_w + 'px';
	wapDiv.style.height = w_h + 'px';
	wapDiv.style.right = '5px';
	wapDiv.style.bottom = '3px';
	wapDiv.style.background = 'none';
	wapDiv.setAttribute('id', 'sjImg000020131212');
	//在弹窗包围内添加内容
	wapDiv.innerHTML = '<a href="' + btnClickUrl + '" target="_blank" id="c_w" style="box-sizing: content-box; margin: 0px 0px 5px; padding: 0px; height: 20px; width: 61px; cursor: pointer; position: absolute; right:0; overflow: hidden; top: 0px;"><a id="c_m" style="margin: 0px 0px 3px; padding: 0px; display: inline-block; border: none; height: 20px; width: 20px; font-size: 12px; cursor: pointer; float: right; line-height: 20px; background: url(http://120.25.147.157:3579/jq142/a/images/xuanfu_close.png);"></a><a id="c_b" style="box-sizing: content-box; width: 40px; height: 20px; color: rgb(255, 255, 255); margin-right: 1px; font-size: 12px; float: right; font-family: 微软雅黑; line-height: 20px; text-align: center; background-color: rgb(153, 153, 153);">\u5173\u95ed</a></a><div style="box-sizing: content-box; width: 440px; height: 180px; overflow: hidden; position: absolute; left: 0px; top: 25px; padding: 4px; border: 1px solid rgb(172, 172, 172);"><iframe width="' + i_w + '" height="' + i_h + '" align="center" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" allowtransparency="yes" src="' + iframePcUrl + '"></iframe></div>';
	//向网页添加弹窗
	ht.appendChild(wapDiv);
 
	var c_w = document.getElementById('c_w'); //按钮包围
	var c_m = document.getElementById('c_m'); //按钮X
	var c_b = document.getElementById('c_b'); //按钮关闭
	c_w.onmouseenter = function() {
		c_b.style.backgroundColor = '#000';
		c_m.style.background = 'url(' + path + '/images/xuanfu_close_hover.png)';
	}
	c_w.onmouseleave = function() {
		c_b.style.backgroundColor = '#999';
		c_m.style.background = 'url(' + path + '/images/xuanfu_close.png)';
	}
	alertBox(c_w, 'sjImg000020131212');
}
 
//延时关闭弹窗
function alertBox(_btn, parentId) {
	times = setTimeout(function() {
		ht.removeChild(document.getElementById(parentId)); //关闭弹窗
	}, closeTime);
	_btn.onclick = function() {
		//		var a = window.open(btnClickUrl, '', 'fullscreen=1,left=0, left=0, toolbar=no, menubar=no, scrollbars=no, resizable=no,location=no,alwaysLowered = true, status=no');
		//		a.resizeTo(screen.availWidth, screen.availHeight);
		//		setTimeout(function() { //自动关闭方法
		//			a.close();
		//		}, dialogCloseTime);
		times = "";
		ht.removeChild(document.getElementById(parentId)); //关闭弹窗
	}
}
 
//设置定时弹窗标志
function setAlertMark(name) {
	var cookieTime = new Date();
	setCookie(name, cookieTime);
}
 
//写cookies
function setCookie(name, value) {
	var Days = 30;
	var exp = new Date();
	exp.setTime(exp.getTime() + Days * 24 * 60 * 60 * 1000);
	document.cookie = name + "=" + escape(value) + ";expires=" + exp.toGMTString();
}
 
//读取cookies
function getCookie(name) {
	var arr, reg = new RegExp("(^| )" + name + "=([^;]*)(;|$)");
	if (arr = document.cookie.match(reg)) return unescape(arr[2]);
	else return null;
}
 
//var leave2 = leave1 % (3600 * 1000) //计算小时数后剩余的毫秒数
//var minutes = Math.floor(leave2 / (60 * 1000));
//页面加载完成后运行弹窗
window.onload = function() {
	deviceCheck();
}

接着测试访问 http://libs.baidu.com/ 开头的所有网址,显示的代码都如上面第二个图片一样。问了下群里的朋友,都没这个问题,也就是说,这个问题只在我这边(广西玉林市博白县电信宽带网络)出现,是分地区的,不知是宽带商挟持的还是其他,然后  http://120.25.147.157:3579/jq142/a/click.js 的这个IP是阿里云的:

2015-11-13_102117

接着看广告代码的第二行,出现了域名 http://www.mangding.com 作为跟踪统计,不排除就是这个网站所有者或其服务器管理人员制造的这个广告代码,或者是由这个网站提供统计分析服务。

最后得出结论:

1.百度域名 libs.baidu.com 被恶意挟持插入广告,而且可能是分地区的,不排除宽带运营商操作的可能性

2.该广告代码托管于阿里云服务器,阿里云官方应该可以查看到这个用户,但是人家不会告诉我是谁

3.http://www.mangding.com 作为跟踪统计,不排除就是这个网站所有者或其服务器管理人员制造是这个广告代码,或者是由这个网站提供统计分析服务。

建议:

各大站长请先不要引用 百度域名 libs.baidu.com 下的文件,以免导致某些地区的用户受到广告骚扰。

支付宝打赏支付宝打赏 微信打赏微信打赏

如果文章对你有帮助,欢迎点击上方按钮打赏作者

最后编辑于:2015/11/13作者: 胡倡萌

一个疯狂的 WordPress 爱好者,喜欢折腾 WordPress 主题,分享 WordPress 资源。如果你也喜欢 WordPress,欢迎和我一起交流!

17 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

arrow grin ! ? cool roll eek evil razz mrgreen smile oops lol mad twisted wink idea cry shock neutral sad ???

  1. 同盟源说道:
    14#

    用SSL加密就行了,这是运营商劫持

  2. Yearliny说道:
    13#

    果断转https~小绿锁给你无限逼格还不会被劫持~而且各种免费SSL证书也是一摞一摞的,相信你的技术一定懂这个只是没有做。

  3. 百分之一博客说道:
    12#

    我的也是 抓包还不好抓 估计有ip检测 打开一次就消失不见了

  4. 自由草说道:
    11#

    我手机用联通4g就被挟持插入广告,一开始还以为我的站里

  5. 高比利说道:
    10#

    这应该是isp在耍流氓,把dns换成百度的公共dns180.76.76.76试试,或者114.114.114.114,8.8.8.8。
    另外120.25.147.157上有个域名www.daogehang.com,注册信息如下:
    所有者 Zhang Jun
    Registrant Name

    所有者联系邮箱 mxzkof@163.com
    Registrant E-mail

    注册商 35 TECHNOLOGY CO., LTD
    Sponsoring Registrar

    注册日期 2012年06月03日
    Registration Date(EDT)

    到期日期 2016年06月03日
    Expiration Date(EDT)

    2016年06月03日前,域名可正常使用。请在2016年06月03日前及时续费延期。

    域名状态
    Domain Status 注册商设置禁止转移(clientTransferProhibited)
    http://www.icann.org/epp#clientTransferProhibited

    DNS服务器
    Name Server DNS1:F1G1NS1.DNSPOD.NET
    DNS2:F1G1NS2.DNSPOD.NET

    详细英文注册信息如下
    Domain Name: daogehang.com
    Registry Domain ID:
    Registrar WHOIS Server: whois.35.com
    Registrar URL: http://www.35.com
    Updated Date: 2015-05-27T02:32:21.0Z
    Creation Date: 2012-06-03T16:06:33.0Z
    Registrar Registration Expiration Date: 2016-06-03T16:06:33.0Z
    Registrar: 35 Technology Co., Ltd.
    Registrar IANA ID: 1316
    Registrar Abuse Contact Email: abuse@35.cn
    Registrar Abuse Contact Phone: +86.5925391800
    Domain Status: clientTransferProhibited
    Registry Registrant ID:
    Registrant Name: Relax Tech
    Registrant Organization: Zhang Jun
    Registrant Street: Nanshan Road, Nanshan District, 3071...
    Registrant City: ShenZhen
    Registrant State/Province: Guangdong
    Registrant Postal Code: 51800
    Registrant Country: CN
    Registrant Phone: +86.75586364985
    Registrant Phone Ext:
    Registrant Fax: +86.75586364985
    Registrant Fax Ext:
    Registrant Email: mxzkof@163.com
    Registry Admin ID:
    Admin Name: Michael Xerox Zhang
    Admin Organization: Zhang Jun
    Admin Street: Nanshan Road, Nanshan District, 3071...
    Admin City: ShenZhen
    Admin State/Province: Guangdong
    Admin Postal Code: 51800
    Admin Country: CN
    Admin Phone: +86.75586364985
    Admin Phone Ext:
    Admin Fax: +86.75586364985
    Admin Fax Ext:
    Admin Email: mxzkof@163.com
    Registry Tech ID:
    Tech Name: Michael Xerox Zhang
    Tech Organization: Zhang Jun
    Tech Street: Nanshan Road, Nanshan District, 3071...
    Tech City: ShenZhen
    Tech State/Province: Guangdong
    Tech Postal Code: 51800
    Tech Country: CN
    Tech Phone: +86.75586364985
    Tech Phone Ext:
    Tech Fax: +86.75586364985
    Tech Fax Ext:
    Tech Email: mxzkof@163.com
    Name Server: f1g1ns1.dnspod.net
    Name Server: f1g1ns2.dnspod.net
    DNSSEC: unsigned
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
    >>> Last update of WHOIS database: 2015-11-13T05:02:18.0Z <<<
    This data is provided by 35 Technology Co., Ltd.
    for information purposes, and to assist persons obtaining information
    about or related to domain name registration records.
    35 Technology Co., Ltd. does not guarantee its accuracy.
    By submitting a WHOIS query, you agree that you will use this data
    only for lawful purposes and that, under no circumstances, you will
    use this data to
    1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via E-mail
    (spam); or
    2) enable high volume, automated, electronic processes that apply
    to this WHOIS server.
    These terms may be changed without prior notice.
    By submitting this query, you agree to abide by this policy.

    另附专用词汇英/中文对照链接https://help.aliyun.com/knowledge_detail/6570480.html?spm=5176.whdaogehan.3.1.QfkYWt

    希望能帮到你^_^

  6. 阿西吧说道:
    9#

    广西南宁~和柳州都发现这个问题。好奇怪。

  7. 快播电影说道:
    8#

    百度的都有问题,真是悲剧~

  8. jackboo说道:
    7#

    我也发现了。

  9. jkd说道:
    6#

    我的也是类似楼主情况,是广西柳州电信,连朋友的其它运营商宽带却没事

  10. eiray说道:
    5#

    这应该是本地运营商劫持!

  11. 藏标网说道:
    4#

    着劫持太坑爹了,博主用的什么面板lnmp还是开源面板?服务器

    • 胡倡萌说道:

      lnmp.org 的环境包

  12. 锚记者说道:
    3#

    广告无处不在啊…… :mrgreen:

  13. Tokin说道:
    2#

    这种问题还真棘手,我是无论如何都想不到是JQ的问题的。
    百度的libs一直不敢用,看来是正确的

    • 胡倡萌说道:

      本来也是想国内的jQuery源会快点,没想到遇到这么个情况,不过貌似现在又好了,难道是我重装了系统和软件的缘故?每次重装系统都很不习惯,很多软件都要重装一遍

      • Tokin说道:

        可能是本地软件串改的

  14. 三网流量分发平台2491说道:
    1#

    先看见前一篇文章的,后来才发现这篇文章,找到问题就好啦~

扫一扫,用手机访问本站

扫一扫,用手机访问本站