A thorough investigation of the mobile phone to browse the blog park appeared ads!

Source: Internet
Author: User
Tags mscorlib

Background:

I don't know what, the frequency of browsing the blog park with mobile phone has become more.

Also do not know when, browsing becomes this appearance, Fullscreen is advertisement:

It's a little space on the phone, two-thirds ads, I!!!!!.

So, constantly searching for the truth!!!

1: Suspected Rewards plugin:

Careful netizens found that I put the rewards plugin to go, but directly replaced in the following two pictures.

At the beginning of the discovery of advertising, my thinking is this:

A: I found that other people's blogs are basically not advertised. B: Only my blog has ads. C: Computer does not have, only the mobile phone side appears.

Therefore, I suspect that my blog link to the 3rd party URL is triggered.

So, I thoroughly investigated, found that the introduction of third-party rewards plugin JS.

The magic is, when I put JS deleted, save, ads unexpectedly disappeared!!!

Therefore, I have a little fire, an open source JS, unexpectedly secretly inserted ads?

Once I wanted to write the text to spray this behavior!

But to write the text, it is necessary to take the evidence, because, I must get the source code, and there!

So, I built a new demo page, introduced JS, in the mobile phone browser, look forward to it out of advertising, unexpectedly wood has????

What happened to my expectations?

So, I looked further in the garden, other references to the plugin's blog.

Use the mobile phone to browse, found that the other side of the blog did not play!!!

Since the ads do not play, I do not care, I will no longer introduce the JS, replaced by pictures!!!

2: Suspicion of the landlord's network or telecommunications network:

Only after 1-2 days, the ads hit again, and more and more, from the original 1/3 screen, to the present 2/3 screen.

I remember a long time ago, I wrote an article: Jane said that broadband business of the pop-up ads and Web site Response strategy (DNS hijacking Evolution)

Therefore, since is not a third-party plug-in, there is reason to believe that the network of hijacking!

And, hijacked mobile phone side, I also helpless, because the computer can also write a software or change the host screen, mobile phone side ... Alas!

Endure!!! Later in the Flash to Dudu @ One, hope it from the source processing.

The feedback from Dudu is this:

But one thing last night made me wonder if it was a simple matter.

When I visited another region (other telecom networks), there was also an advertisement, and it was exactly the same.

I think the operators even play advertising, but also fragmented, scattered small groups to engage in, it is impossible to engage in a city level.

But there is no way to prove it.

3: Two degree suspect is CNZZ plugin

Say two degrees, is in the suspicion of the plug-in, my blog is only left to introduce CNZZ plugin.

Just now, more than 1 O ' Day, found sleep, mobile browsing, but also full screen ads, FIRE BIG!!!!!

Mani, middle and what, lying on the bed and what, get up and open the computer, must thoroughly investigate!!!!

Open fiddler to track, the results found that interception is not (probably fiddler listening is 127.0.0.1, didn't think)

Then opened the autumn-style ads killed the project:

Although it is now retired, not much maintenance, but it is now the best utility is used to intercept the commissioning of the phone-side requests.

Run the software, Miss:

By default, the 8888 port is listening, and in debug mode, all the requested URLs are output:

Then set up the proxy on the phone:

Then on the phone to browse their own blog, and then look at the Output window information:

"Autumn ad killer. exe" (Managed): "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll" has been loaded and the symbol loading has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. "Autumn ad killer. exe" (Managed): Loaded "F:\Code\ open source code \adkiller\adkiller\bin\debug\ Autumn ad killer. exe", the symbol has been loaded. "Autumn ad killer. exe" (Managed): "C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll" has been loaded and the symbol loading has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. "Autumn ad killer. exe" (Managed): Loaded "C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\ System.Windows.Forms.dll ", the symbol loading has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. "Autumn ad killer. exe" (Managed): "C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" loaded , the symbol load has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. "Autumn ad killer. exe" (Managed): "C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll" has been loaded and the symbol loading has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. "Autumn ad killer. exe" (Managed): Loaded "C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\ System.Configuration.dll ", the symbol loading has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. "Autumn ad killer. exe" (Managed): Loaded "C:\Windows\assembly\GAC_MSIL\System.XMl\2.0.0.0__b77a5c561934e089\system.xml.dll ", the symbol loading has been skipped. The module has been optimized and the debugger option "Just My Code" is enabled. The first accidental "System.dll" type exception in System.Net.Sockets.SocketException "Autumn ad killer. exe" (Managed): Loaded "C:\Windows\assembly\GAC_MSIL \mscorlib.resources\2.0.0.0_zh-chs_b77a5c561934e089\mscorlib.resources.dll ", Symbol not loaded. "Autumn ad killer. exe" (Managed): Loaded "C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_zh-CHS_b77a5c561934e089\ System.resources.dll ", Symbol not loaded. The first occurrence of an "mscorlib.dll" type exception in System.ArgumentException the first accidental "mscorlib.dll" type of exception thread in System.ArgumentException 0X1ADC has exited with a return value of 0 (0x0). 99,100 thread 0x1188 has exited with a return value of 0 (0x0). Exception 99,10099,10099,1002016/11/24 for the first accidental "System.dll" type in System.Net.Sockets.SocketException 1:37:28:http:// WWW.CNBLOGS.COM/CYQ1162/98,1002016/11/24 1:37:28:http://www.cnblogs.com/cyq1162/mvc/blog/sidecolumn.aspx? BLOGAPP=CYQ116297,10096,1002016/11/24 1:37:28:http://www.cnblogs.com/mvc/blog/getblogsideblocks.aspx?blogapp= cyq1162&showflag=showrecentcomment,showtopviewposts,showtopfeedbackposts,showtopdiggposts95,1002016/11/24 1:37:28:http://common.cnblogs.com/script/jquery.js94,1002016/11/24 1:37:28:http://s20.cnzz.com/stat.php ? id=5244184&web_id=524418492,1002016/11/24 1:37:28:http://www.cnblogs.com/skins/nature/bundle-nature.css?v= SMSMQROZAMYRZ003URLSZZQQISVE_YMEDYPY07GKHPW195,1002016/11/24 1:37:29:http://www.cnblogs.com/skins/nature/images /POST_TITLE.JPG94,1002016/11/24 1:37:29:http://www.cnblogs.com/skins/nature/bundle-nature-mobile.css?v= HF5SYJMC3ZJ_0XF2A1TD3TONPOPUCYJX2ZHMZHDAHN8195,1002016/11/24 1:37:29:http://www.cnblogs.com/images/xml.gif2016/ 11/24 1:37:29:HTTP://WWW.CNBLOGS.COM/BLOG/CUSTOMCSS/20967.CSS?V=WCLRVDDPRMDYB+EEEB+WXGJ0PSA=95,10096,1002016/11 /24 1:37:30:http://www.cnblogs.com/bundles/blog-common.js?v=hh1lcmv8waiu271nx7jpuv36tenw9-rssxzilxupjtc195, 1002016/11/24 1:37:30:http://www.cnblogs.com/bundles/blog-common.css?v=rdf1bbtts5_ Qvaet1myrajvtd62bsccoja9fzxgv1zm194,100 the first occurrence of "System.dll" type exception 94,100 thread in System.Net.Sockets.SocketException 0x1bac has exited with a return value of 0 (0x0)。 97,100 thread 0x694 has exited with a return value of 0 (0x0). Thread 0x1ae0 has exited with a return value of 0 (0x0). Thread 0x12b8 has exited with a return value of 0 (0x0). 97,10097,10097,10097,1002016/11/24 1:38:29:http://www.cnblogs.com/skins/nature/images/bg.gif96,1002016/11/24 1:38:29:HTTP://WWW.CNBLOGS.COM/MVC/BLOG/NEWS.ASPX?BLOGAPP=CYQ116295,1002016/11/24 1:38:29:http:// WWW.CNBLOGS.COM/MVC/BLOG/CALENDAR.ASPX?BLOGAPP=CYQ1162&DATESTR=94,1002016/11/24 1:38:29:http:// WWW.CNBLOGS.COM/CYQ1162/MVC/BLOG/SIDECOLUMN.ASPX?BLOGAPP=CYQ116293,1002016/11/24 1:38:29:http://gzs20.cnzz.com/ stat.htm?id=5244184&r=&lg=zh-cn&ntime=1479921109&cnzz_eid=1678838998-1457592648-http:// ing.cnblogs.com/&showp=375x667&t= Passing Autumn-blog Park &h=1&rnd=45890401092,1002016/11/24 1:38:29:http:// A.LIUZHI520.COM/RT_ZM/RT_ADJS_COMMON.PHP?ID=1015390,1002016/11/24 1:38:29:http://ix.hao61.net/d.js?cid=10153 &UMAC=00:1B:33:28:AC:92&DMAC=6C:19:8F:D1:A0:F689,1002016/11/24 1:38:29:http://wpa.qq.com/pa?p= 2:272657997:41 &r=0.3070903085172176488,100 thread 0xc74 has exited, the return value is 0 (0x0). 2016/11/24 1:38:29:http://rcv.union-wifi.com/hm.gif?from=15000&_cid=10153&_dmac=6c198fd1a0f6&_umac= 001b3328ac92&_ctype=mb&_black=false&url=http://www.cnblogs.com/cyq1162/&_u=1479922708766-0 Threads 0x184 has exited with a return value of 0 (0x0). 88,1002016/11/24 1:38:29:http://cpro.baidustatic.com/cpro/ui/dm.js thread 0x1a68 has exited with a return value of 0 (0x0). 87,1002016/11/24 1:38:29:http://pub.idqqimg.com/qconn/wpa/button/button_11.gif thread 0xf6c has exited with a return value of 0 (0x0). 86,10088,1002016/11/24 1:38:30:http://www.cnblogs.com/skins/nature/images/bg_day.jpg thread 0x17b8 has exited with a return value of 0 (0x0). 87,1002016/11/24 1:38:30:http://www.cnblogs.com/mvc/blog/getblogsideblocks.aspx?blogapp=cyq1162&showflag= Showrecentcomment,showtopviewposts,showtopfeedbackposts,showtopdiggposts thread 0x1730 has exited with a return value of 0 (0x0). 90,1002016/11/24 1:38:30:http://www.cnblogs.com/skins/nature/images/banner.gif90,100 thread 0xf9c has exited with a return value of 0 (0x0). 2016/11/24 1:38:30:http://www.cnblogs.com/skins/nature/images/tit_list.jpg thread 0xb38 has exited with a return value of 0 (0x0). 92,1002016/11/24 1:38:31:http://www.cnblogs.com/skins/nature/images/line.jpg thread 0x16a4 has exited with a return value of 0 (0x0). 2016/11/24 1:38:31:http://www.cnblogs.com/skins/nature/images/top.gif thread 0x1934 has exited with a return value of 0 (0x0). 92,1002016/11/24 1:38:31:http://www.cnblogs.com/mvc/follow/getfollowstatus.aspx?bloguserguid= 2a5e360b-63cf-dd11-9e4d-001cf0cd104b&_=147992270866193,100 thread 0x1044 has exited with a return value of 0 (0x0). 2016/11/24 1:38:32:http://www.cnblogs.com/skins/nature/images/top_menu.gif thread 0XEFC has exited with a return value of 0 (0x0).

From the output URL, see:

From the gzs20.cnzz.com, began to appear several unknown website jump, finally came out.

When I want to re-refresh, to debug each file output information, found that the ads disappeared, I am, it is sensitive AH!!!

Search for CNZZ ads:

Find information about CNZZ ads everywhere on the Internet:

but is it the truth?

According to personal basic knowledge, can be 90% to judge it is the source, but, yes, but oh ~ ~ ~

4: Suspected DNS was hijacked!

I looked at the computer and did not set the DNS, while the phone, I was setting up the 8.8.8.8,4.4.4.4

There is also an introduction on the Internet, it may be 8.8.8.8 this is also hijacked.

Finally, the possibility is that after the DNS hijacking, only to have statistics plug-in, and is random!

Summary:

The insertion of this advertisement, the technique is too in the mouth, and the reaction is very sensitive, a sense of someone to check, will automatically disappear.

Blog posts, as long as they are re-saved, will disappear for a while.

Although the above-mentioned pre-judgment, but there is no 100% of evidence to confirm.

The current overall pre-assembly suspicion is: Dns+js plugin.

8.8.8.8 DNS has now been canceled, continue to observe!

The night is too deep, after writing to sleep ~ ~ ~

A thorough investigation of the mobile phone to browse the blog park appeared ads!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.