从昨天开始,我们这整块宿舍区都遭遇了网页劫持,浏览网页被强制重定向到某IP,再通过iframe方式浏览用户的目标网页。排除了DNS劫持因素(我用的是opendns服务),剩下的解释只有…有人直接从数据流做手脚了。
该IP来自南昌本市,这是whois信息:
Genbox ~ # whois 59.55.140.243
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 59.52.0.0 - 59.55.255.255
netname: CHINANET-JX
descr: CHINANET Jiangxi province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: JN113-AP
remarks: service provider
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-IP-WWF
changed: hm-changed@apnic.net 20050208
source: APNIC
role: JXDCB NET
address: DATA COMMUNICATION BUREAY
address: NO.39,YANJIANG NORTH ROAD,NANCHANG,JIANGXI
country: CN
phone: +86 791 6730586
fax-no: +86 791 6707755
e-mail: hostmaster@public1.nc.jx.cn
trouble: send spam reports to hostmaster@public1.nc.jx.cn
trouble: and abuse reports to hostmaster@public1.nc.jx.cn
admin-c: XY1-AP
tech-c: WZ1-CN
tech-c: WW49-AP
nic-hdl: JN113-AP
remarks: http://www.online.jx.cn
notify: hostmaster@public1.nc.jx.cn
mnt-by: MAINT-IP-WWF
changed: hm-changed@apnic.net 20020812
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
电话10000号,要嘛问我是不是中木马了,要嘛说升级下浏览器…我像那种白痴用户吗? 也只有我这么警觉发现了这个问题。我能想到的解释是…要嘛电信内部做了手脚,要嘛电信被黑了。
没有别的办法,只能暂时先通过iptables来封掉这两个IP了:
iptables -A INPUT -s 59.55.140.243 -j REJECT
iptables -A INPUT -s 59.55.140.239 -j REJECT
iptables -A OUTPUT -d 59.55.140.243 -j REJECT
iptables -A OUTPUT -d 59.55.140.239 -j REJECT
电信啊,电信啊…有哪个是黑客高手的,来帮忙把那ip所在主机给黑了,换成我的google ad,收入咱平分!