朋友说 (15:08):方便的话,你访问当年明月的 blog http://blog.sina.com.cn/m/dangnianmingyue用sniffer看看是不是会去下载一个www.jcdh.cn/1.exe的文件。我这只要一访问这个页面就下载这个病毒。其他页面没事。我不能确定是我的机器中毒了还是这个页面有问题。
精于心,简于形[郑昀] 说 (15:15):http://www.xfocus.net/articles/200610/888.html,这里面谈到了。“两年前,访问网站的时候经常被重定位到北京宽带智能纠错网站去,比较烦人。后来一段时间好象也没有了,也就没有注意了。这几天,访问网站的时候又经常出现一些奇怪的现象。初步判断网络有点问题,当然我能确保我的系统是干净的。”jcdh.cn whois 信息Domain Name jcdh.cnDomain Status okRegistrant Name 吕先生Administrative Email dayu2008@163.comSponsoring Registrar 北京万网志成科技有限公司Name Server dns11.hichina.comName Server dns12.hichina.comRegistration Date 2006-09-15 14:11Expiration Date 2007-09-15 14:11
朋友说:是。我正在看xfocus那个文章,几天前看到过。精于心,简于形[郑昀] 说:我前几个月原来说过这个问题,典型的流氓手段。朋友 说:是,我看过你那个文章。就是互联星空捆绑最热的时候。精于心,简于形[郑昀] 说:这回可能还是他们。和你的系统无关。
技术人员请看下面的xfocus讨论:
创建时间:2006-10-15 更新时间:2006-10-15文章属性:转载文章来源:internet文章提交:root (webmaster_at_xfocus.org)谁动了我们的DNS2006-10-16by 81d83889fb4a54b0d5d7e07d42c51422本文遵从GPL协议,欢迎转载|=------------------------------------------------------------------------=|---------[ Table of Contents ] 0x1 - 前言 0x2 - 一些怪现象 0x2.1 -- ping一些不存在的域名 0x2.2 -- 抓包分析 0x3 - 浏览器浏览不存在域名被重定位 0x3.1 -- 现象 0x3.2 -- 抓包分析 0x4 - xxxxxx.bobodogs.com的统计数据 0x5 - www.bobodogs.com的统计数据 0x6 - 一次被引导到3721网站的过程 0x7 - 有必要看下www.jcdh.cn这个网站 0x8 - 小结 0x8.1 -- 影响用户范围 0x8.2 -- 解决办法|=------------------------------------------------------------------------=|---------[ 0x1 - 前言 ]一两年前,访问网站的时候经常被重定位到北京宽带智能纠错网站去,比较烦人。后来一段时间好象也没有了,也就没有注意了。这几天,访问网站的时候又经常出现一些奇怪的现象。初步判断网络有点问题,当然我能确保我的系统是干净的。使用环境 winxp sp2 firefox,北京网通ADSL拨号上网,使用DHCP自动分配IP和获得DNS,不使用IE是因为IE自身也内嵌了3721查询,正确的说是内嵌了auto.search.msn.com.关键字:DNS查询 ,HTTP协议,WHOIS 查询,DNS轮循---------[ 0x2 - 一些怪现象 ]这里就不重述DNS是如何工作的,以及DNS在整个互联网中的重要性。---------[ 0x2.1 - ping一些不存在的域名 ]先来看看一些现象:======================================================================ping fuck12334566.comPinging fuck12334566.com [202.108.251.209] with 32 bytes of data:Reply from 202.108.251.209: bytes=32 time=17ms TTL=247Reply from 202.108.251.209: bytes=32 time=16ms TTL=247Ping statistics for 202.108.251.209: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 16ms, Maximum = 17ms, Average = 16msControl-C^Cping fuck12334566.comPinging fuck12334566.com [202.108.251.209] with 32 bytes of data:Reply from 202.108.251.209: bytes=32 time=15ms TTL=247Ping statistics for 202.108.251.209: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 15ms, Maximum = 15ms, Average = 15msControl-C^Cping fuck12334567.comPinging fuck12334567.com [202.108.251.209] with 32 bytes of data:Reply from 202.108.251.209: bytes=32 time=17ms TTL=247Ping statistics for 202.108.251.209: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum = 17ms, Average = 17msControl-C^Cping fuck12334568.comPinging fuck12334568.com [202.108.251.207] with 32 bytes of data:Reply from 202.108.251.207: bytes=32 time=18ms TTL=247Reply from 202.108.251.207: bytes=32 time=17ms TTL=247Ping statistics for 202.108.251.207: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum = 18ms, Average = 17msControl-C^Cping fuck12334569.comPinging fuck12334569.com [202.108.251.209] with 32 bytes of data:Reply from 202.108.251.209: bytes=32 time=16ms TTL=247Ping statistics for 202.108.251.209: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 16ms, Maximum = 16ms, Average = 16msControl-C^Cping fuck12334570.comPinging fuck12334570.com [202.108.251.206] with 32 bytes of data:Reply from 202.108.251.206: bytes=32 time=16ms TTL=247Ping statistics for 202.108.251.206: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 16ms, Maximum = 16ms, Average = 16msControl-C^Cping fuck12334571.comPinging fuck12334571.com [202.108.251.209] with 32 bytes of data:Reply from 202.108.251.209: bytes=32 time=17ms TTL=247Ping statistics for 202.108.251.209: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum = 17ms, Average = 17msControl-C ======================================================================为什么会这样,明名胡乱打的一个域名为什么会返回一系列IP地址呢,是偶然还是巧合?dns服务器返回的一些ip地址202.108.251.209202.108.251.206202.108.251.207202.108.251.213===============================================================inetnum: 202.108.0.0 - 202.108.255.255netname: CNCGROUP-BJdescr: CNCGROUP Beijing province networkdescr: China Network Communications Group Corporationdescr: No.156,Fu-Xing-Men-Nei Street,descr: Beijing 100031country: CNadmin-c: CH455-APtech-c: SY21-APmnt-by: APNIC-HMmnt-lower: MAINT-CNCGROUP-BJmnt-routes: MAINT-CNCGROUP-RRchanged: hm-changed@apnic.net 20031017status: ALLOCATED PORTABLEchanged: hm-changed@apnic.net 20060124source: APNICrole: CNCGroup Hostmastere-mail: abuse@cnc-noc.netaddress: No.156,Fu-Xing-Men-Nei Street,address: Beijing,100031,P.R.Chinanic-hdl: CH455-APphone: +86-10-82993155fax-no: +86-10-82993102country: CNadmin-c: CH444-APtech-c: CH444-APchanged: abuse@cnc-noc.net 20041119mnt-by: MAINT-CNCGROUPsource: APNICperson: sun yingaddress: fu xing men nei da jie 97, Xicheng Districtaddress: Beijing 100800country: CNphone: +86-10-66030657fax-no: +86-10-66078815e-mail: suny@publicf.bta.net.cnnic-hdl: SY21-APmnt-by: MAINT-CNCGROUP-BJchanged: suny@publicf.bta.net.cn 19980824changed: hm-changed@apnic.net 20060717source: APNIC===============================================================---------[ 0x2.2 - 抓包分析 ]抓包分析下===============================================================Frame 3 (93 bytes on wire, 93 bytes captured)Ethernet II, Src: Vmware_fc:4e:c4 (00:50:56:fc:4e:c4), Dst: Vmware_2b:e7:dd (00:0c:29:2b:e7:dd)Internet Protocol, Src: 192.168.174.2 (192.168.174.2), Dst: 192.168.174.132 (192.168.174.132)User Datagram Protocol, Src Port: domain (53), Dst Port: 1326 (1326)Domain Name System (response) Transaction ID: 0xc627 Flags: 0x8180 (Standard query response, No error) Questions: 1 Answer RRs: 1 Authority RRs: 0 Additional RRs: 0 Queries fuck123445452.com: type A, class IN Name: fuck123445452.com Type: A (Host address) Class: IN (0x0001) Answers fuck123445452.com: type A, class IN, addr 202.108.251.213 Name: fuck123445452.com Type: A (Host address) Class: IN (0x0001) Time to live: 1 minute Data length: 4 Addr: 202.108.251.213===============================================================很显然dns服务器告诉我们的就是:fuck123445452.com的ip地址为202.108.251.213---------[ 0x3 - 浏览器浏览不存在域名被重定位 ]---------[ 0x3.1 - 现象 ] 再来看看http协议上的问题,我们用firefox敲了一个网址进去 www.chinatesttesttest.com (特意查了下,这个域名是还没有被人注册的) ,结果返回回来的是===============================================================无法显示网页您正在查找的页当前不可用。 网站可能遇到支持问题,或者您需要 调整您的浏览器设置。请尝试以下操作: * ·单击 refresh.gif (82 字节) 刷新按钮,或稍后重试。 * ·如果您已经在地址栏中输入该网页的地址, 请确认其拼==============================================================是不是觉得奇怪呢,是的,不奇怪才怪了呢---------[ 0x3.2 - 抓包分析 ]抓包分析吧firefox的动作★ 第一步 查询www.chinatesttesttest.com的ip地址,如上一样dns服务器返回 202.108.251.215★ 第二步 2.1 向202.108.251.215发送GET / HTTP/1.1/r/n请求。 2.2 202.108.251.215返回数据===============================================================Hypertext Transfer ProtocolLine-based text data: text/html <html> <head> <style>body{margin:0px;padding:0px;overflow:hidden;}</style> <!--<script language="javascript" type="text/javascript" src="http://xxxxxx.bobodogs.com/"></script>--> </head> <body> <iframe name="iframe0" src="http://www.jcdh.cn/1.html?url=www.chinatesttestest.com/" WIDTH="100%" HEIGHT="100%" FRAMEBORDER="0" /> <!--xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx--> </body> </html> ===============================================================ok这里出现了bobodogs.com和jcdh.cn这两个网站。看看这两个网站分别是什么jcdh.cn是北京宽带网网站。(后补:是乍看是)bobodogs.com是博博狗。他们俩什么关系??===============================================================jcdh.cn whois 信息Domain Name jcdh.cnDomain Status okRegistrant Name 吕先生Administrative Email dayu2008@163.comSponsoring Registrar 北京万网志成科技有限公司Name Server dns11.hichina.comName Server dns12.hichina.comRegistration Date 2006-09-15 14:11Expiration Date 2007-09-15 14:11===============================================================bobodogs whois 信息 Domain Name: BOBODOGS.COM Registrar: HICHINA WEB SOLUTIONS (HONG KONG) LIMITED Whois Server: grs.hichina.com Referral URL: http://whois.hichina.com Name Server: DNS12.HICHINA.COM Name Server: DNS11.HICHINA.COM Status: ACTIVE EPP Status: ok Updated Date: 18-Jul-2006 Creation Date: 18-Jul-2006 Expiration Date: 18-Jul-2008[grs.hichina.com]Domain Name ..................... bobodogs.comName Server ..................... dns11.hichina.com dns12.hichina.comRegistrant ID ................... hc468722731-cnRegistrant Name ................. HAICHUAN LIRegistrant Organization ......... LI HAICHUANRegistrant Address .............. BEIJINGRegistrant City ................. BEIJINGRegistrant Province/State ....... BEIJINGRegistrant Postal Code .......... 100029Registrant Country Code ......... CNRegistrant Phone Number ......... +86.01058208009 - Registrant Fax .................. +86.01058208005 - Registrant Email ................ ponyring@gmail.comAdministrative ID ............... hc468722731-cnAdministrative Name ............. HAICHUAN LIAdministrative Organization ..... LI HAICHUANAdministrative Address .......... BEIJINGAdministrative City ............. BEIJINGAdministrative Province/State ... BEIJINGAdministrative Postal Code ...... 100029Administrative Country Code ..... CNAdministrative Phone Number ..... +86.01058208009 - Administrative Fax .............. +86.01058208005 - Administrative Email ............ ponyring@gmail.comBilling ID ...................... hichina001-cnBilling Name .................... hichinaBilling Organization ............ HiChina Web Solutions LimitedBilling Address ................. 3/F., HiChina Mansion No.27 Gulouwai Avenue Dongcheng DistrictBilling City .................... BeijingBilling Province/State .......... BeijingBilling Postal Code ............. 100011Billing Country Code ............ CNBilling Phone Number ............ +86.01064242299 - Billing Fax ..................... +86.01064258796 - Billing Email ................... domainadm@hichina.comTechnical ID .................... hichina001-cnTechnical Name .................. hichinaTechnical Organization .......... HiChina Web Solutions LimitedTechnical Address ............... 3/F., HiChina Mansion No.27 Gulouwai Avenue Dongcheng DistrictTechnical City .................. BeijingTechnical Province/State ........ BeijingTechnical Postal Code ........... 100011Technical Country Code .......... CNTechnical Phone Number .......... +86.01064242299 - Technical Fax ................... +86.01064258796 - Technical Email ................. domainadm@hichina.comExpiration Date ................. 2008-07-18 06:21:34=============================================================== ★ 第三步: 根据返回回来的数据,firefox继续访问www.jcdh.cn ,GET 1.html?url=www.chinatesttestest.com 这次返回的数据如下:===============================================================Hypertext Transfer ProtocolLine-based text data: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <style> a:link/t/t/t{font:9pt/12pt /313/316/314/345; color:red} a:visited/t/t{font:9pt/12pt /313/316/314/345; color:#4e4e4e} img/t/t/t/t/t{display:none;} img.dis/t/t/t{display:inline;} </style> <script language="javascript" type="text/javascript">window.status="/315/352/261/317";</script> <script language="javascript" type="text/javascript" src="http://xxxxxx.bobodogs.com/1.shtml"></script> <meta HTTP-EQUIV="Content-Type" Content="text-html; charset=gb2312"> <title>bobodogs.com /325/322/262/273/265/275/267/376/316/361/306/367</title> </head> <body bgcolor="white"> <table width="400" cellpadding="3" cellspacing="5"> <tr> <td id="tableProps" valign="top" align="left"><img class="dis" id="pagerrorImg" SRC="res://shdoclc.dll/pagerror.gif" width="25" height="33"></td> <td id="tableProps2" align="left" valign="middle" width="360"><h1 id="textSection1" style="COLOR: black; FONT: 13pt/14pt /313/316/314/345"><span id="errorText">/316/336/267/250/317/324/312/276/315/370/322/263</span></h1> </td> </tr> <tr> <td id="tablePropsWidth" width="400" colspan="2"><font style="COLOR: black; FONT: 8pt/11pt verdana">/304/372/325/375/324/332/262/351/325/322/265/304/322/263/265/261/307/260/262/273/277/311/323/303/241/243 /315/370/325/276/277/311/304/334/323/366/265/275/326/247/263/326/316/312/314/342/243/254/273/362/325/337/304/372/320/350/322/252 /265/367/325/373/304/372/265/304/344/257/300/300/306/367/311/350/326/303/241/243</font></td> </tr> <tr> <td id="tablePropsWidth" width="400" colspan="2"><font id="LID1" style="COLOR: black; FONT: 9pt/12pt /313/316/314/345"><hr color="#C0C0C0" noshade> <p id="LID2">/307/353/263/242/312/324/322/324/317/302/262/331/327/367:</p><ul> <li id="instructionsText1">/265/245/273/367 <a xhref="javascript:location.reload()" _fcksavedurl=""javascript:location.reload()"" target="_self"> /t <img class="dis" border=0 src="res://shdoclc.dll/refresh.gif" width="13" height="16" alt="refresh.gif (82 /327/326/275/332)" align="middle"></a> <a xhref="javascript:location.reload()" target="_self">/313/242/320/302</a>/260/264/305 </li> <li id="instructionsText2">/310/347/271/373/304/372/322/321/276/255/324/332/265/330/326/267/300/270/326/320/312/344/310/353/270/303/315/370/322/263/265/304/265/330/326/267/243/254 /307/353/310/267/310/317/306/344/306/264/320/264/325/375/310/267/241/243<br> </li> <li id="instructionsText3">/322/252/274/354/262/351/304/372/265/304/315/370/302/347/301/254/275/323/243/254/307/353/265/245/273/367<b>/271/244/276/337</b>/262/313/265/245/243/254/310/273/272/363/265/245/273/367 <b>Internet /321/241/317/356</b>/241/243/324/332<b>/301/254/275/323</b>/321/241/317/356/277/250/311/317/243/254/265/245/273/367<b>/311/350/326/303</b>/241/243 /311/350/326/303/261/330/320/353/323/353/304/372/265/304/276/326/323/362/315/370 (LAN) /271/334/300/355/324/261/273/362 Internet /267/376/316/361/271/251/323/246/311/314 (ISP) /314/341/271/251/265/304/322/273/326/302/241/243 </li> <li ID="list4">/262/351/277/264/304/372/265/304 Internet /301/254/275/323/311/350/326/303/312/307/267/361/325/375/310/267/261/273/274/354/262/342/241/243/304/372/277/311/304/334/311/350/326/303/310/303 Microsoft Windows /274/354/262/3 <OL> <li id="instructionText6">/265/245/273/367<b>/271/244/276/337</b>/262/313/265/245/243/254/310/273/272/363/265/245/273/367<B>Internet /321/241/317/356</b>/241/243 </li> <li id="instructionText7">/324/332<b>/301/254/275/323</b>/321/241/317/356/277/250/311/317/243/254/265/245/273/367<b>LAN /311/350/326/303</b>/241/243</li> <li id="instructionText8">/321/241/324/361<b>/327/324/266/257/274/354/262/342/311/350/326/303</b>/243/254/310/273/272/363/265/245/273/367<b>/310/267/266/250</b>/241/243</li> </OL> </li> <li id="instructionsText5"> /304/263/320/251/325/276/265/343/322/252/307/363 128-/316/273/265/304/301/254/275/323/260/262/310/253/320/324/241/243/265/245/273/367<b>/260/357/326/372</b>/262/313/265/245/243/254/310/273/272/363/265/245/273/367<b>/271/330/323/332 </li> <li id="instructionsText4"> /310/347/271/373/304/372/322/252/267/303/316/312/304/263/260/262/310/253/325/276/265/343/243/254/307/353/310/267/261/243/304/372/265/304/260/262/310/253/311/350/326/303/304/334/271/273/326/247/263/326/241/243/307/353/265/245/273/367 </li> <li id="list3">/265/245/273/367<a href="javascript:history.back(1)"><img class="dis" valign=bottom border=0 src="res://shdoclc.dll/back.gif">/311/317/322/273/262/275</a>/260/264/305/245/243/254/263/242/312/324/306/344/313/373/301/264/ </ul> <p><br> </p> <h2 id="IEText" style="font:9pt/12pt /313/316/314/345; color:black">/325/322/262/273/265/275/267/376/316/361/306/367/273/362 DNS /264/355/316/363<BR> Internet Explorer</h2> </font></td> </tr> </table> <script language="javascript" type="text/javascript" src="http://js.users.51.la/549643.js"></script> <noscript><a href="http://www.51.la/?549643" target="_blank"><img alt="我要啦免费统计" src="http://img.users.51.la/549643.asp" style="border:none" /></a></noscript> </body> </html>===============================================================这个页面就是上面我们看到了===============================================================无法显示网页您正在查找的页当前不可用。 网站可能遇到支持问题,或者您需要 调整您的浏览器设置。请尝试以下操作: * ·单击 refresh.gif (82 字节) 刷新按钮,或稍后重试。 * ·如果您已经在地址栏中输入该网页的地址, 请确认其拼==============================================================后面我们还看到有一个js脚本。51.1a是免费统计流量的一个网站。http://js.users.51.la/549643.js里的内容如下===============================================================document.write ('<a href="http://www.51.la/?549643" target="_blank"><img alt="我要啦免费统计 VIP 用户" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>/n');document.write ('<script>var a549643tf="51la";var a549643pu="";var a549643pf="51la";var a549643su=window.location;var a549643sf=document.referrer;var a549643of="";var a549643op="";var a549643ops=1;var a549643ot=1;var a549643d=new Date();var a549643color="";if (navigator.appName=="Netscape"){a549643color=screen.pixelDepth;} else {a549643color=screen.colorDepth;}<//script><script>a549643tf=top.document.referrer;<//script><script>a549643pu =window.parent.location;<//script><script>a549643pf=window.parent.document.referrer;<//script><script>a549643ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a549643ops=(a549643ops==null)?1: (parseInt(unescape((a549643ops)[2]))+1);var a549643oe =new Date();a549643oe.setTime(a549643oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a549643ops+ ";expires="+a549643oe.toGMTString();a549643ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a549643ot==null){a549643ot=1;}else{a549643ot=parseInt(unescape((a549643ot)[2])); a549643ot=(a549643ops==1)?(a549643ot+1):(a549643ot);}a549643oe.setTime(a549643oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a549643ot+";expires="+a549643oe.toGMTString();<//script><script>a549643of=a549643sf;if(a549643pf!=="51la"){a549643of=a549643pf;}if(a549643tf!=="51la"){a549643of=a549643tf;}a549643op=a549643pu;try{lainframe}catch(e){a549643op=a549643su;}document.write(/'<img style="width:0px;height:0px" src="http://36.db.51.la/s.asp?id=549643&tpages=/'+a549643ops+/'&ttimes=/'+a549643ot+/'&tzone=/'+(0-a549643d.getTimezoneOffset()/60)+/'&tcolor=/'+a549643color+/'&sSize=/'+screen.width+/',/'+screen.height+/'&referrer=/'+escape(a549643of)+/'&vpage=/'+escape(a549643op)+/'" //>/');<//script>');===============================================================这段js将产生一个 http://36.db.51.la/s.asp?id=549643&tpages=6&ttimes=1&tzone=8&tcolor=32&sSize=800,600&referrer=http://www.chinatesttestest.com/&vpage=http://www.jcdh.cn/1.html?url=www.chinatesttestest.com/ 的请求,以增加xxx.dododogs.com的流量和PV。 ★ 第四步 firefox的访问那个36.db.51.la网站,增加其流量和PV.---------[ 0x4 - xxxxxx.bobodogs.com的统计数据 ] 到此,firefox的任务完成了,我们来看看这个用户ID为549643现在一些统计数据基本情况网站名称: xxxxxx.bobodogs.com( 享有我要啦 VIP 贵宾服务 )网站地址: http://xxxxxx.bobodogs.com网站简介: -站长: mohome在线人数: 正在读取 人 [查看在线用户详情]开始统计: 2006-9-6 14:00:00已统计: 37.30 天我要啦排名: 255 [最近3个月排名回顾] 基本流量状况 访问量 浏览量总量: 1136044 IP 4257828 PV今日流量: 135122 IP 558541 PV昨日流量: 135739 IP 544212 PV本月合计: 355116 IP 1342385 PV今年合计: 1136044 IP 4257828 PV平均每日: 30457 IP 114151 PV预计今日: 155220 IP 630867 PV访问量排名 ( 独立IP排名 ) 2006-10-12 最近七天 最近三个月IP 量 135739 IP 218861 IP 1000922 IP访问量排名 第 42 名 第 255 名 第 735 名浏览量排名 ( PV排名 ) 2006-10-12 最近七天 最近三个月PV 量 544212 PV 781265 PV 3699287 PV浏览量排名 第 83 名 第 429 名 第 970 名xxxxxx.bobodogs.com 的流量100%的来自/1.html?url================================================================IP ( 点击 IP 追踪访问者 ) 上站时间 来路 入口网址 回头客 浏览器 Alexa61.50.170.145 北京市 21:17:09 mv.baidusp.co /1.html?url=mv.baidusp.co/ 1 MSIE 6.0 ×219.236.152.177 北京市 21:17:13 newcrm.chinaren.com /1.html?url=newcrm.chinaren.com/club 1 MSIE 6.0 ×221.222.150.157 北京市崇文区 21:16:53 product1.chinadns.co /1.html?url=product1.chinadns.com/cg 1 MSIE 6.0 ×221.217.168.149 北京市朝阳区 21:17:14 cc.525354.com /1.html?url=cc.525354.com/push.aspx? 1 MSIE 6.0 ×219.238.4.189 北京市朝阳区 21:16:52 www.zhangxlei.com /1.html?url=www.zhangxlei.com/ 1 MSIE 6.0 ×221.223.171.18 北京市海淀区 21:17:15 www.cn.dhl.cn /1.html?url=www.cn.dhl.cn/ 1 MSIE 6.0 ×61.51.129.178 北京市海淀区 21:17:02 www.9002. /1.html?url=www.9002./ 1 MSIE 6.0 ×221.220.130.220 北京市大兴区 21:17:14 prced.com /1.html?url=prced.com/ 1 MSIE 6.0 √221.223.182.253 北京市海淀区 21:17:07 374.adsina.allyes.co /1.html?url=374.adsina.allyes.com/ma 1 MSIE 6.0 ×221.221.223.109 北京市海淀区 21:16:53 www.uuubbb.com /1.html?url=www.uuubbb.com/ 1 MSIE 6.0 ×221.4.236.194 广东省惠州市 21:17:05 www.163com /1.html?url=www.163com/ 1 MSIE 6.0 ×60.194.223.82 北京市 21:16:48 minisite.qq.com /1.html?url=minisite.qq.com/all/alli 1 MSIE 6.0 ×......===============================================================本身 http://xxxxxx.bobodogs.com/ 的网站访问过去的时候报了个http 404错误。---------[ 0x5 - www.bobodogs.com的统计数据 ]www.bobodogs.com本身自己定位是一个博客,美女,美图的这么一个网站。来看看www.bobodogs.com的统计情况基本情况网站名称: 博博狗网站地址: http://www.bobodogs.com网站简介: -站长: bobodogs在线人数: 正在读取 人 [查看在线用户详情]开始统计: 2006-9-12 14:00:00已统计: 31.90 天我要啦排名: 11650 [最近3个月排名回顾] 基本流量状况 访问量 浏览量总量: 8059 IP 36861 PV今日流量: 154 IP 1627 PV昨日流量: 315 IP 2410 PV本月合计: 3845 IP 16446 PV今年合计: 8059 IP 36861 PV平均每日: 253 IP 1156 PV预计今日: 398 IP 3566 PV访问量排名 ( 独立IP排名 ) 2006-10-13 最近七天 最近三个月IP 量 315 IP 1851 IP 7905 IP访问量排名 第 10188 名 第 11650 名 第 19536 名浏览量排名 ( PV排名 ) 2006-10-13 最近七天 最近三个月PV 量 2410 PV 8943 PV 35234 PV浏览量排名 第 7003 名 第 10102 名 第 17594 名---------[ 0x6 - 一次被引导到3721网站的过程 ] 按照上面的分析,现在只要访问一个没有注册的域名的话,会经过一系列的过程后看到一个网站不可访问的页面。也就是下面这个===============================================================无法显示网页您正在查找的页当前不可用。 网站可能遇到支持问题,或者您需要 调整您的浏览器设置。请尝试以下操作: * ·单击 refresh.gif (82 字节) 刷新按钮,或稍后重试。 * ·如果您已经在地址栏中输入该网页的地址, 请确认其拼==============================================================但是有几次这样的一个过程居然被引导到了3721的查询网站上去了。我们再来看看这个过程的细节吧。 ★ 第一步 进行dns查询 testtest3.localdomain==============================================================Domain Name System (response) Transaction ID: 0xccc1 Flags: 0x8180 (Standard query response, No error) Questions: 1 Answer RRs: 1 Authority RRs: 0 Additional RRs: 0 Queries Answers testtest3.localdomain: type A, class IN, addr 61.51.18.112 Name: testtest3.localdomain Type: A (Host address) Class: IN (0x0001) Time to live: 1 minute Data length: 4 Addr: 61.51.18.112============================================================== 一个还没注册的域名,这次返回的IP是61.51.18.112. 经过whois查询,这个IP地址信息如下:==============================================================inetnum: 61.51.16.0 - 61.51.31.255netname: TONGKE-NETdescr: Beijing Tonek Information Telenology Companycountry: CNadmin-c: LS39-APtech-c: LS39-APmnt-by: MAINT-CHINANET-BJmnt-lower: MAINT-CHINANET-BJ-TKstatus: ASSIGNED NON-PORTABLEchanged: hostmast@publicf.bta.net.cn 20020221changed: hm-changed@apnic.net 20040927source: APNICperson: Liu ShuAnaddress: West ChangAn Street 11,XiCheng Districtaddress: Beijing, 100031country: CNphone: +86-10-66054242fax-no: +86-10-66030434nic-hdl: LS39-APmnt-by: MAINT-NULLchanged: suny@publicf.bta.net.cn 19980827source: APNIC============================================================== ★ 第二步 访问61.51.18.112这个网站 返回的数据为==============================================================Hypertext Transfer Protocol HTTP/1.1 200 OK/r/n Set-Cookie: JSESSIONID=8B31638C6757CB1337F65F6E21B6107E; Path=//r/n Content-Type: text/html;charset=ISO-8859-1/r/n Content-Length: 652/r/n Date: Fri, 13 Oct 2006 09:17:26 GMT/r/n Server: Apache-Coyote/1.1/r/n /r/nLine-based text data: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <Script language="JavaScript"> document.write("<HTML>"); document.write("<meta HTTP-EQUIV=/"Content-Type/" Content=/"text-html; charset=gb2312/">"); document.write("<head>"); document.write("<META HTTP-EQUIV=/"refresh/" content=/"0.1;URL=/URLAsk/">") document.write("<title>No Page Found</title></head>"); //document.write("<FrameSet border=/"0/" cols=/"*,0/">"); //document.write("<Frame height=/"100%/" frameborder=/"0/" width=/"100%/" src=/"/URLAsk/">"); //document.write("<Frame src=/"/">"); //document.write("</FrameSet>"); document.write("<body></body></HTML>"); </Script>============================================================== 直接重新导向本网站的/URLAsk ★ 第三步 访问61.51.18.112 的/URLAsk 返回的数据为==============================================================Hypertext Transfer Protocol HTTP/1.1 302 Moved Temporarily/r/n Location: http://auto.search.msn.com/response.asp?MT=testtest3&rov=&utf8/r/n Content-Length: 0/r/n Date: Fri, 13 Oct 2006 09:17:26 GMT/r/n Server: Apache-Coyote/1.1/r/n /r/n============================================================== 又重新导向auto.search.msn.com,auto.search.msn.com会使用3721的东西来搜索,返回给用户看到的就是yahoo的3721网站搜索。到此,通过dns的引导,网站的配合,最终引导到yahoo的3721搜索网站。---------[ 0x7 - 有必要看下www.jcdh.cn这个网站 ]下面是这个网站的首页面内容==============================================================<title>北京宽带网-纠错导航</title>....<td height="110" colspan="2"><table width="100%" height="110" border="0" cellpadding="0" cellspacing="0"> <tr> <td width="140" height="90" valign="bottom"><img src="pop/bbn_logo.jpg" width="130" height="75" border="0"/><span class="STYLE2"> </span></td> <td width="209" valign="bottom"><span class="STYLE2"><span class="STYLE4">温馨提示</span><span class="STYLE5">:</span><br /> <br /> 您输入的域名或网址无法访问!<br /> 可能是输入错误,或是网站访问超时!</span></td> <td width="450" align="right" valign="bottom"><div style="padding-bottom:10px"><img src="pop/g5.jpg" width="430" height="60" /></div></td> </tr> <tr> <td colspan="2" align="right" class="STYLE2"> </td> <td><span class="STYLE3"> 我们为您真诚推荐以下精彩内容</span></td> </tr></table></td></tr> <tr> <td width="350"><table width="100%" height="500" border="0" cellpadding="0" cellspacing="0"> <tr> <td valign="top"><table width="345" height="400" border="0" cellpadding="0" cellspacing="0"> <tr> <td><iframe src="error.html" width="345" height="500" marginheight="0" marginwidth="0" frameborder="0" style="border:1px #D6E9F7 solid;"></iframe></td> </tr> </table></td> </tr> </table></td> <td><table width="100%" height="500" border="0" cellpadding="0" cellspacing="0"> <tr> <td height="218" align="right" valign="top"><table width="430" border="0" cellpadding="0" cellspacing="0"> <tr> <td valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="430" height="34" background="pop/430-34.jpg"><table width="100%" height="34" border="0" cellpadding="0" cellspacing="0"> <tr> <td width="20"> </td> <td width="73" align="center" class="STYLE6">焦点</td> <td width="71" align="center"><div class="div_sub"><a href="http://www.bobodogs.com/sh/jujiaoshehui/" target="_blank">社会</a></div></td> <td width="71" align="center"><div class="div_sub"><a href="http://www.bobodogs.com/lx/xingshizhenxinhua" target="_blank">两性</a></div></td> <td width="71" align="center"><div class="div_sub"><a href="http://www.bobodogs.com/sp/" target="_blank">视频</a></div></td> <td width="76" align="center"><div class="div_sub"><a href="http://www.bobodogs.com/tp" target="_blank">美图</a></div></td> <td> </td> </tr> </table></td>...==============================================================我们看到 最上面的title是显示的北京宽带网-纠错导航, 左上角使用的北京-宽带网-BNN的logo,还有“温馨提示:您输入的域名或网址无法访问! 可能是输入错误,或是网站访问超时”, 左下角是一个error.html页面 , http://www.jcdh.cn/error.html ,显示 无法显示网页,模拟的是 Internet Explorer 找不到服务器或 DNS 错误 的错误。 (我可是用的是firefox啊) 右边是连接到www.bobodogs.com的内容。 ---------[ 0x8 - 小结 ] 本文是一篇技术文章,不想多说什么了...... 网上类试的文章 是谁控制了我们的浏览器? http://news.newhua.com/html/Skill_NetSoft/2006-8/21/0682112053342225_79.shtml---------[ 0x8.1 - 影响用户范围 ] 从51.la的统计上来看,影响的是北京网通的ADSL拨号用户 ---------[ 0x8.2 - 解决办法 ] 假如你比较厌烦这个东西的话,不要设置自动获得DNS服务器地址,自己手动添写非网通的DNS服务器。 比如北京电信的 202.96.199.133 202.96.0.133 202.106.0.20 202.106.148.1 202.97.16.195 ---------EOF
