这是在 k8s 的某个 pod 里面执行的 curl 命令,然后被劫持到了 http://144.dragonparking.com
而且是偶发的,有段时间会劫持有段时间就正常
宿主机上执行 curl 没出现过劫持
这个是怎么实现的
以下是劫持返回的 html
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>tencentcloudapi.com</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <script type='text/javascript' language='JavaScript'> var domain = 'tencentcloudapi.com'; var uniqueTrackingID = 'MTY4NTU3OTcwNi4xODgzOmZlODk3NWU3ODcyMjg1MDg2YWNlZGU1NTM5YWZlMTBmNDFmMWQyYzIzZTQ5MGY0OTA2MDE1ZTViN2I3ZDEwYTU6NjQ3N2U3YmEyZGZiOA=='; var clickTracking = false; var themedata = ''; var xkw = ''; var xsearch = ''; var xpcat = ''; var bucket = ''; var clientID = ''; var clientIDs = ''; var num_ads = 0; var adtest = 'off'; var scriptPath = ''; </script> <script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script> </head>
<body>
<script type="text/javascript">var ls = function(xhr, path, token) {
xhr.onreadystatechange = function () {
if (xhr.readyState === XMLHttpRequest.DONE) {
if (xhr.status >= 200 && xhr.status <= 400) {
if (xhr.responseText.trim() === '') {
return;
}
console.log(JSON.parse(xhr.responseText))
} else {
console.log('There was a problem with the request.');
}
}
}
xhr.open('GET', path + '/ls.p' + 'hp?t=6477e7ba&token=' + encodeURI(token), true);
xhr.send();
}; ls(new XMLHttpRequest(), scriptPath, '098d33e1ee92577488c3f7c512742c23d15f6952');</script> <script type='text/javascript' language='JavaScript'> window.onload = function() { if(clickTracking && typeof track_onclick == 'function') track_onclick("8738cf3b6b543a07139579dbbd0fc3fa531854b6"); top.location.href = "http://144.dragonparking.com/?site=tencentcloudapi.com&t=1685579706&s=26356433e9449717b0e51e87ffb4349a&fs=http%3A%2F%2Fc.parkingcrew.net%2F%3Fdomain_name%3Dtencentcloudapi.com"; }; </script> </body>
</html> 1
ysc3839 2023-06-02 13:10:26 +08:00 via Android
建议宿主机抓包看看
|
2
quxuanxuan OP @ysc3839 找到原因了,是 dns 解析的问题,搜索域底下可以解析这个域名
|