中国电信DNS劫持带来的ADWAY恶意广告

相关信息可以Google  关键字:ADWAY恶意广告,www.izptec.com

相关链接

http://bbs.rockbeer.org/redirect.php?tid=1241669484&goto=lastpost

http://www.admin5.com/article/20100601/238050.shtml

http://dongxi.net/b02Mr

http://www.lidiansoft.com/blog/post/1133.html

http://bbs.drpc.cn/viewthread.php?tid=128&page=1

http://www.315ts.net/archive/tousu/2010/1008/888273.shtml

http://www.dongqifei.com/tag/%E6%B5%81%E6%B0%93%E5%B9%BF%E5%91%8A/

http://space.scmlife.com/home-space-uid-12-do-blog-id-1.html

http://bbs.chinaunix.net/viewthread.php?tid=1794483


最近浏览某游戏论坛发现右下角一直出现一个flash广告,刚开始并未太注意这个广告,以为是这个游戏论坛所加载的.后来我在这个游戏论坛询问是否有加载类似广告时,相关人员给予了否定.因为也没什么大碍,就没去关注了..
直到今天偶尔从另外一个站点跳转到这个游戏论坛时发现又弹出了这个flash广告.如图

使用工具查看后发现如下代码

如图所示

[php]

<html debug="true">
<head>
<body>
<iframe id="fulliframe" lang="utf-8" name="fulliframe" src="" width="100%" height="100%" marginheight="0" marginwidth="0" frameborder="0"/>
<script language="JavaScript" type="text/javascript">
<script src="http://124.232.136.147/pagead/ads.js?umask=26&interval=600&vask=3364566430&uid=1800260239&pid=72057923437190054&o_url=bbs.duowan.com/forum-7-1.html&aname=00007703&ic=00007488&vh=00007494,512|00007411,319|00007488,270|00007484,229|00007414,116|00007417,93|00008502,90|00007470,87&ipc_type=CTN&ipc_nid=0" language="javascript" type="text/javascript"/>
<script src="http://59.51.96.35/10092002/images/asd.js" type="text/javascript" defer=""/>
<div id="pzi_container" style="position: absolute; z-index: 100; bottom: 0px; right: 16px; display: block; width: 300px; height: 290px; background-color: transparent; ">
<iframe width="1" height="1" style="background-color: transparent; " allowtransparency="true" frameborder="0" scrolling="no" src="http://59.51.96.35/10092002//impression.html?http://bbs.duowan.com/forum-7-1.html&random=0.4169298824854195"/>
</body>
</html>

[/php]

我们看到这样几句代码

[php]

<script src="http://124.232.136.147/pagead/ads.js?umask=26&interval=600&vask=3364566430&uid=1800260239&pid=72057923437190054&o_url=bbs.duowan.com/forum-7-1.html&aname=00007703&ic=00007488&vh=00007494,512|00007411,319|00007488,270|00007484,229|00007414,116|00007417,93|00008502,90|00007470,87&ipc_type=CTN&ipc_nid=0" language="javascript" type="text/javascript"/>

[/php]
[php]script src="http://59.51.96.35/10092002/images/asd.js" type="text/javascript" defer=""/>[/php]
[php]<iframe width="1" height="1" style="background-color: transparent; " allowtransparency="true" frameborder="0" scrolling="no" src="http://59.51.96.35/10092002//impression.html?http://bbs.duowan.com/forum-7-1.html&random=0.4169298824854195"/>[/php]

经过测试 
http://59.51.96.35/10092002/
这个链接打开后右下角便会弹出flash广告,看来某些人士就是iframe了这个页面.
查看http://59.51.96.35/10092002//impression.html 这个页面代码后
发现如下代码

[php]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
</head>
<body >
<span style="display:none">
<script src='http://w.cnzz.com/c.php?id=30037064&l=3' language='JavaScript' charset='gb2312'></script>

<img src=http://t.dkgtv6.com/count/count.com.php?website=1100571&image=countlogo1.gif alt="站内统计" style="border:0"/>

<script src="http://s17.cnzz.com/stat.php?id=2454504&web_id=2454504" language="JavaScript"></script>

<script type="text/javascript" language="javascript">
var search = window.location.search;
var idx = search.indexOf("&random=");
document.write("<img src='http://124.232.136.147/pagead/ads?umask=1&ad_url=http://59.51.96.35/10092002/images/asd.js&website=4ca42a39' />");
</script>
</span>

<script type="text/javascript">
/*
(function(){
var PZI = window.PZI = window.PZI &#124;&#124; {};
var doubleclick = "http://www.izptec.com";
window.setTimeout("PZI.popWindow()",10);
var poped = false;
function addListener(element, e, fn)
{
element.addEventListener ? element.addEventListener(e, fn, false) : element.attachEvent("on" + e, fn)
}

function removeListener(element, e, fn)
{
element.removeEventListener ? element.removeEventListener(e, fn, false) : element.detachEvent("on" + e, fn)
}
function pop()
{
var adw = window.open('about:blank');
//adw.blur();
//adw.opener.focus();
adw.location = doubleclick;
var win = top.frames[0];
if(win.document.body)
{
removeListener(win.document.body, "click", arguments.callee);
poped = true;
}
return adw;
}
PZI.popWindow = function()
{
try
{
pop();
}
catch(ex)
{
var win = top.frames[0];
if(win.document.body)
{
addListener(win.document.body, "click", pop);
}
};
};
})();
*/
</script>
</body>
</html>

[/php]

其中

[php]<span style="display:none">[/php]

隐藏显示

原来有个 Philips促销上海 这么个玩意在捣鬼..
好,我点击那个广告看看
飞利浦剃须刀的..嗯嗯

立即跳转到这个地址
http://59.51.96.35/10092002//click.html

如下代码

[php]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
<script type="text/javascript" language="javascript">
function loadCallBack()
{
window.location = "http://ad-emea.doubleclick.net/clk;228658714;54655887;e?http://adtpl.360buy.com/uploads/promotion/promotion-tpl/2010/09/2010092500004.html?origin=1_cn_zh_3dshaver_adsl_p1360shanghai_300x250";
}
</script>
</head>
<body onload="loadCallBack()">
<span style="display:none">
<!-- phpstat.net -->
<script language="JavaScript" type="text/javascript">
var _PCSWebSite="1100571";
var _PCSImage="countlogo1.gif";
</script>
<script language="JavaScript" type="text/javascript" src="http://t.dkgtv6.com//count/count.js" ></script>
<!-- /phpstat.net -->

<script src='http://w.cnzz.com/c.php?id=30037066&l=3' language='JavaScript' charset='gb2312'></script>

<script src="http://s17.cnzz.com/stat.php?id=2454520&web_id=2454520" language="JavaScript"></script>

<script type="text/javascript" language="javascript">
var search = window.location.search;
var idx = search.indexOf("&random=");
document.write("<img src='http://124.232.136.147/pagead/ads?umask=0&ad_url=http://59.51.96.35/10092002/images/asd.js&website=4ca42a39' />");
</script>
</span>
</body>
</html>

[/php]

嗯嗯跳转到 http://adtpl.360buy.com/uploads/promotion/promotion-tpl/2010/09/2010092500004.html?origin=1_cn_zh_3dshaver_adsl_p1360shanghai_300x250,并且有3个流量统计...看来是靠流量吃饭的主.

回到前面http://59.51.96.35/10092002//impression.html这个链接,看代码

[php]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
</head>
<body>
<span style="display:none">
<script src='http://w.cnzz.com/c.php?id=30037064&l=3' language='JavaScript' charset='gb2312'></script>

<img src=http://t.dkgtv6.com/count/count.com.php?website=1100571&image=countlogo1.gif alt="站内统计" style="border:0"/>

<script src="http://s17.cnzz.com/stat.php?id=2454504&web_id=2454504" language="JavaScript"></script>

<script type="text/javascript" language="javascript">
var search = window.location.search;
var idx = search.indexOf("&random=");
document.write("<img src='http://124.232.136.147/pagead/ads?umask=1&ad_url=http://59.51.96.35/10092002/images/asd.js&website=4ca42a39' />");
</script>
</span>

<script type="text/javascript">
/*
(function(){
var PZI = window.PZI = window.PZI || {};
var doubleclick = "http://www.izptec.com";
window.setTimeout("PZI.popWindow()",10);
var poped = false;
function addListener(element, e, fn)
{
element.addEventListener ? element.addEventListener(e, fn, false) : element.attachEvent("on" + e, fn)
}

function removeListener(element, e, fn)
{
element.removeEventListener ? element.removeEventListener(e, fn, false) : element.detachEvent("on" + e, fn)
}
function pop()
{
var adw = window.open('about:blank');
//adw.blur();
//adw.opener.focus();
adw.location = doubleclick;
var win = top.frames[0];
if(win.document.body)
{
removeListener(win.document.body, "click", arguments.callee);
poped = true;
}
return adw;
}
PZI.popWindow = function()
{
try
{
pop();
}
catch(ex)
{
var win = top.frames[0];
if(win.document.body)
{
addListener(win.document.body, "click", pop);
}
};
};
})();
*/
</script>
</body>
</html>

[/php]

好的! 被我看到 这个.http://www.izptec.com 
这个是什么网站呢?

电信的狗啊...速度换DNS..看来是DNS劫持无疑了...

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 🙂
  • 😯
  • 🙁
  • 🙄
  • 😛
  • 😳
  • 😮
  • emoji-mrgree
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • ➡
  • 😕
  • ❓
  • ❗
  • 73 queries in 0.682 seconds