Who is controlling our browser?

Kevin's blog saw lumeng's article, although not recommended, but this article is very valuable.

Recall the first episode of The Matrix. What is the real world? What is real you?

Why can Neeao become Superman in a virtual world, because he sees through the essence that he is controlling the world?

Instead of being controlled by the world

Who is controlling our browser?

Author: 2f4f587a80c2dbbd870a46481b2b1882
Date: 2004.7.20

0. Copyright

This article complies with the GPL protocol.

1. What is the phenomenon?

Since the beginning of this year, many people have found that when Browsing some websites, the url in the address bar will be inexplicably added "? Curtime = xxxxxxxxxx "(x is a number), and an advertisement window is displayed. Many people think that this is an advertisement popped up by the website, so they do not care about it.

I am one of those very concerned.

2. What is going on?

After testing and analysis, we found that the above phenomenon has nothing to do with the browser used (we tested various popular http clients ), it has nothing to do with the operating system used (linux users also have relevant reports ). I tracked and debugged the IE browser process that encountered this phenomenon and did not find any exceptions. We can conclude that adware or spyware is not installed on the system.

Are those websites self-built? Later, we found that this problem also occurred when accessing our own website and ruled out this possibility.

The only thing that remains is that someone has installed an inject Device on one or several key network nodes and hijacked our HTTP session-I really don't want to believe this answer, the answer to this shameless and shameless question.

The great schelock Sherlock Holmes said: When everything else may be ruled out, the rest, even how incredible, must be the answer.

To verify this idea, I chose an IP address in the CIDR block near the website that once experienced the above phenomenon. Directly access the HTTP service of this IP address. Normally, there is no page, and Error 404 should be returned. I wrote a script to constantly access this IP address and record incoming and outgoing packets. When the access is performed for 120 times, end the request and view the data. In the 120 requests, 118 returned errors are normal 404 errors:

HTTP/1.1 404 Object Not Found
Server: Microsoft-Microsoft IIS/5.0
Date: Mon, 19 Jul 2004 12:57:37 GMT
Connection: close
Content-Type: text/html
Content-Length: 111

<Html> <Body> No web site is configured at this address. </body>

But twice, this is returned:

HTTP/1.1 200 OK
Content-type: text/html

<Html>
<Meta http-equiv = Pragma content = no-cache>
<Meta http-equiv = Refresh content = 0; URL =? Curtime= 1091231851>
<Script>
Window. open (http: // 211.147.5.121/DXT06-005.htm, width = 400, height = 330 );
</Script>
<Head>
<Title> </title>
</Head>
<Body>
</Body>
</Html>

Further analysis of data packets shows that the hijacking process is as follows:
A. On the side of A backbone router, there is A bypass device that listens to all the HTTP sessions that flow through. This device performs special processing for certain HTTP requests according to certain rules.

B. When an unfortunate HTTP request flows through, the device sends the prepared data to the client as a response packet based on the seq and ack of the request. This process is very fast. After the HTTP request is sent, it takes only 0.008 seconds to receive the above response. However, no normal server can respond within such a short period of time.

C. Because seq and ack have been used up by forged responses, when real server data comes in, it will be considered as an error message and will not be accepted.

D. the browser will follow <meta http-equiv = Refresh content = 0; URL =? Curtime = 1091231851> This line re-Requests the URL you want to access. This time, the real page of the request is obtained and the window. open function is called to open the advertisement window.

Using "php?" in google? Curtime "," htm? Curtime "," asp? Curtime is a keyword search, which basically appears on a Chinese website, which indicates that the problem lies in China. The device used for inject is inserted at one or several major nodes in China.

The truth is clear. We have been fooled. Internet users throughout China have become some tools for making money.

3. What should I do now?

Before a bad guy gets caught, we can consider the following methods to avoid harassment of this thing:

A. Ask the network administrator of each organization to completely block 211.147.5.121 on the network edge device.
B. Block 211.147.5.121 on your own personal firewall.
C. If your browser is FireFox, Opera, GreenBrowser, or MyIE, you can drop "http: // 211.147.5.121/*" to the pop-up window Filter list.

It's more than just advertising. It involves our choice, our freedom, and it's worse and more shameless than spam. Today is an advertisement. Tomorrow we may add an adware or virus to you When you download the software. Who knows? Our HTTP Communication is completely controlled by others.

4. How can we find the bad guy?

If you are a person with the power to investigate and handle this matter, you can consider the following technical means:

Method 1,

The spoofed response data does not process TTL. That is to say, the TTL in the response data is related to the inject device location. Take the data packet I received as an example. The actual server-side response TTL is 107, and the forged response TTL is 53. Then, 21 (128-107) nodes are passed between us and the requested server, and 11 (64-53) nodes are passed through the inject device. You only need to traceroute the requested server to get the route backtracking. The number of outgoing nodes is the place where the inject device is inserted!

Method 2:

If the bad guy saw this article and modified the TTL, we still have a solution. Search for the following keywords on google:
Php? Curtime
Htm? Curtime
Asp? Curtime
Attackers can obtain the URLs that will be accessed by inject in large numbers. Write scripts to access these URLs repeatedly to verify whether the access from your ip address will be inject. The results are indeed collected by inject, and traceroute tools are used to trace routes on different network access points. Analyze the result of backtracking.

As we have already explained above, the bad guy is installing inject devices on one or some important nodes, so this node must be somewhere between the URLs of inject and our IP addresses. For example, if A, B, C, and D are inject websites, the routing backtracing result is as follows:

MyIP-12-13-14-15-65-[89]-15-5-
MyIP-66-67-68-69-85-[89]-45-68-84-52-44-B
MyIP-34-34-36-28-83-[89]-45-63-58-64-48-41-87-C
MyIP-22-25-29-32-65-45-[89]-58-D

Obviously, the inject device is most likely in the IDC where "89" is located.

Method 3:

On the other hand, you can start by storing the 211.147.5.121 IP address in the advertising industry. The whois query result is as follows:

Inetnum: 211.147.0.0-211.147.7.255
Netname: DYNEGY-COMMUNICATION
Descr: DYNEGY-COMMUNICATION
Descr: CO. LTD
Descr: BEIJING
Country: CN
Admin-c: PP40-AP
Tech-c: SD76-AP
Mnt-by: MAINT-CNNIC-AP
Changed: hui_zh@sina.com 20011112
Status: ALLOCATED PORTABLE
Source: APNIC

Person: Pang Patrick
Nic-hdl: PP40-AP
E-mail: bill.pang@bj.datadragon.net
Address: Fl./8, South Building, Bridge Mansion, No. 53
Phone: + 86-10-63181513
Fax-n + 86-10-63181597
Country: CN
Changed: ipas@cnnic.net.cn 20030304
Mnt-by: MAINT-CNNIC-AP
Source: APNIC

Person: ShouLan Du
Address: Fl./8, South Building, Bridge Mansion, No. 53
Country: CN
Phone: + 86-010-83160000
Fax-n + 86-010-83155528
E-mail: dsl327@btamail.net.cn
Nic-hdl: SD76-AP
Mnt-by: MAINT-CNNIC-AP
Changed: dsl327@btamail.net.cn 20020403
Source: APNIC

5. Why should I write this article?

Sina provides me with peach-colored news. By the way, I can see Sina's advertisements, which are justified by nature. Or, if I install the advertisement bar of a website, the website pays me money, which is also justified by nature. However, this 211.147.5.121 forces me to watch advertisements without providing me with peach news or money, which seriously hurts my weak and young soul. In fact, you can extort money from kellins' pan, rape Cleo Pedra, bite Wang Yangming, and dig the tomb of gisi Khan. I don't care about it, but now that you are disturbing my life, I have to say a few words.