這次JB中會被安裝太極助手,到底這是不是有害程式呢 親自查一下相關資訊
使用whois 查詢太極的官網
root@tonyhack:/home/tony# whois taig.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TAIG.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS3.DNSV4.COM Name Server: NS4.DNSV4.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 20-dec-2013 Creation Date: 07-apr-1999 Expiration Date: 07-apr-2015 >>> Last update of whois database: Tue, 24 Dec 2013 21:59:49 UTC <<< NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: TAIG.COM Registry Domain ID: 5070333_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2013-11-05 18:27:16 Creation Date: 1999-04-06 23:00:00 Registrar Registration Expiration Date: 2015-04-06 23:00:00 Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.480-624-2505 Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Domain Status: clientRenewProhibited Domain Status: clientDeleteProhibited Registry Registrant ID: Registrant Name: zhou shengjin Registrant Organization: Registrant Street: Beijing changping district changping road Registrant City: Beijing Registrant State/Province: beijing Registrant Postal Code: 100096 Registrant Country: China Registrant Phone: +1.3811919651 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: zhou shengjin Admin Organization: Admin Street: Beijing changping district changping road Admin City: Beijing Admin State/Province: beijing Admin Postal Code: 100096 Admin Country: China Admin Phone: +1.3811919651 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: zhou shengjin Tech Organization: Tech Street: Beijing changping district changping road Tech City: Beijing Tech State/Province: beijing Tech Postal Code: 100096 Tech Country: China Tech Phone: +1.3811919651 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: [email protected] Name Server: NS3.DNSV4.COM Name Server: NS4.DNSV4.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of WHOIS database: 2013-12-24T22:00:00Z The data contained in GoDaddy.com, LLC's WhoIs database, while believed by the company to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of GoDaddy.com, LLC. By submitting an inquiry, you agree to these terms of usage and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise make possible, dissemination or collection of this data, in part or in its entirety, for any purpose, such as the transmission of unsolicited advertising and and solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Please note: the registrant of the domain name is specified in the "registrant" section. In most cases, GoDaddy.com, LLC is not the registrant of domain names listed in this database.
域名為1999年註冊
使用host查詢會發現有可能是使用類似dnspod的cdn分流
root@tonyhack:/home/tony# host www.taig.com www.taig.com has address 42.62.21.143 www.taig.com has address 42.62.21.144 www.taig.com has address 211.155.82.233 www.taig.com has address 211.155.82.248 www.taig.com has address 203.191.148.133 www.taig.com has address 42.62.21.140 www.taig.com has address 42.62.21.141 www.taig.com has address 42.62.21.142
用CURL查詢網頁中的網址
root@tonyhack:/home/tony# curl -s www.taig.com|grep -Eo "http://[^\"']+" http://www.taig.com/wap.php http://bbdown.iphonespirit.com/site/image/logo.ico http://js.pingguoyingyong.com/taiji-home/css/style.css http://www.taig.com/archives/category/news http://static.youku.com/v1.0.0334/v/swf/player_yk.swf http://static.youku.com/v1.0.0334/v/swf/player_yk.swf http://www.adobe.com/go/getflash http://bbdown.iphonespirit.com/ios/7/evasi0n7_TaiG_1.0.1.zip http://www.taig.com/archives/category/news http://www.taig.com/archives/575 http://bbdown.iphonespirit.com/site/docpic/gongkaixin.jpg http://www.taig.com/archives/575 http://www.taig.com/archives/579 http://www.taig.com/archives/575 http://www.taig.com/archives/570 http://www.taig.com/archives/548 http://www.taig.com/archives/253 http://www.taig.com/archives/251 http://www.taig.com/archives/249 http://www.taig.com/archives/247 http://www.taig.com/archives/241 http://js.pingguoyingyong.com/taiji-home/js/build.js
蘋果核的分發域名就是pingguoyingyong.com
而www.kuaiyong.com居然是同段的ip
root@tonyhack:/home/tony# host www.kuaiyong.com www.kuaiyong.com has address 117.121.11.16 root@tonyhack:/home/tony# host js.pingguoyingyong.com js.pingguoyingyong.com has address 117.121.11.32 root@tonyhack:/home/tony# host bbdown.iphonespirit.com bbdown.iphonespirit.com is an alias for bbdown.iphonespirit.com.51ccdn.com. bbdown.iphonespirit.com.51ccdn.com is an alias for c01.i08.sisyun.com. c01.i08.sisyun.com is an alias for c01.i08.cncsd.hadns.net. c01.i08.cncsd.hadns.net has address 61.156.242.76 c01.i08.cncsd.hadns.net has address 60.18.151.6 c01.i08.cncsd.hadns.net has address 60.210.10.77 c01.i08.cncsd.hadns.net has address 61.156.157.183
其中幾個可疑的網址 查詢後發現跟原本網路上查詢 已經不太一樣了,看來是有更新過
curl -s –head -H "Host:www.kuaiyong.com" 117.121.11.32 curl -s -H "Host:www.kuaiyong.com" 117.121.11.32 | grep '<title>' curl -s -H "Host:nosuchhost.com" 117.121.11.32 | grep '<title>'
之前打開bbdown.iphonespirit.com,會發現一段告示 但目前已經無法開起網頁顯示403
猜測這次的jb程式可能有商業付費的可能性