IOS7 JB 被安裝太極助手

這次JB中會被安裝太極助手，到底這是不是有害程式呢 親自查一下相關資訊

使用whois 查詢太極的官網

root@tonyhack:/home/tony# whois taig.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: TAIG.COM
   Registrar: GODADDY.COM, LLC
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS3.DNSV4.COM
   Name Server: NS4.DNSV4.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 20-dec-2013
   Creation Date: 07-apr-1999
   Expiration Date: 07-apr-2015

>>> Last update of whois database: Tue, 24 Dec 2013 21:59:49 UTC <<<

NOTICE: The expiration date displayed in this record is the date the 
registrar's sponsorship of the domain name registration in the registry is 
currently set to expire. This date does not necessarily reflect the expiration 
date of the domain name registrant's agreement with the sponsoring 
registrar.  Users may consult the sponsoring registrar's Whois database to 
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois 
database through the use of electronic processes that are high-volume and 
automated except as reasonably necessary to register domain names or 
modify existing registrations; the Data in VeriSign Global Registry 
Services' ("VeriSign") Whois database is provided by VeriSign for 
information purposes only, and to assist persons in obtaining information 
about or related to a domain name registration record. VeriSign does not 
guarantee its accuracy. By submitting a Whois query, you agree to abide 
by the following terms of use: You agree that you may use this Data only 
for lawful purposes and that under no circumstances will you use this Data 
to: (1) allow, enable, or otherwise support the transmission of mass 
unsolicited, commercial advertising or solicitations via e-mail, telephone, 
or facsimile; or (2) enable high volume, automated, electronic processes 
that apply to VeriSign (or its computer systems). The compilation, 
repackaging, dissemination or other use of this Data is expressly 
prohibited without the prior written consent of VeriSign. You agree not to 
use electronic processes that are automated and high-volume to access or 
query the Whois database except as reasonably necessary to register 
domain names or modify existing registrations. VeriSign reserves the right 
to restrict your access to the Whois database in its sole discretion to ensure 
operational stability.  VeriSign may restrict or terminate your access to the 
Whois database for failure to abide by these terms of use. VeriSign 
reserves the right to modify these terms at any time. 

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: TAIG.COM
Registry Domain ID: 5070333_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-11-05 18:27:16
Creation Date: 1999-04-06 23:00:00
Registrar Registration Expiration Date: 2015-04-06 23:00:00
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID: 
Registrant Name: zhou shengjin
Registrant Organization: 
Registrant Street: Beijing changping district changping road
Registrant City: Beijing
Registrant State/Province: beijing
Registrant Postal Code: 100096
Registrant Country: China
Registrant Phone: +1.3811919651
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: [email protected]
Registry Admin ID: 
Admin Name: zhou shengjin
Admin Organization: 
Admin Street: Beijing changping district changping road
Admin City: Beijing
Admin State/Province: beijing
Admin Postal Code: 100096
Admin Country: China
Admin Phone: +1.3811919651
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: [email protected]
Registry Tech ID: 
Tech Name: zhou shengjin
Tech Organization: 
Tech Street: Beijing changping district changping road
Tech City: Beijing
Tech State/Province: beijing
Tech Postal Code: 100096
Tech Country: China
Tech Phone: +1.3811919651
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: [email protected]
Name Server: NS3.DNSV4.COM
Name Server: NS4.DNSV4.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2013-12-24T22:00:00Z

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy.  This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC.  By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.  In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam.  You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes. 

Please note: the registrant of the domain name is specified
in the "registrant" section.  In most cases, GoDaddy.com, LLC 
is not the registrant of domain names listed in this database.

域名為1999年註冊

使用host查詢會發現有可能是使用類似dnspod的cdn分流

root@tonyhack:/home/tony# host www.taig.com
www.taig.com has address 42.62.21.143
www.taig.com has address 42.62.21.144
www.taig.com has address 211.155.82.233
www.taig.com has address 211.155.82.248
www.taig.com has address 203.191.148.133
www.taig.com has address 42.62.21.140
www.taig.com has address 42.62.21.141
www.taig.com has address 42.62.21.142

用CURL查詢網頁中的網址

root@tonyhack:/home/tony# curl -s www.taig.com|grep -Eo "http://[^\"']+"

http://www.taig.com/wap.php
http://bbdown.iphonespirit.com/site/image/logo.ico
http://js.pingguoyingyong.com/taiji-home/css/style.css
http://www.taig.com/archives/category/news
http://static.youku.com/v1.0.0334/v/swf/player_yk.swf
http://static.youku.com/v1.0.0334/v/swf/player_yk.swf
http://www.adobe.com/go/getflash
http://bbdown.iphonespirit.com/ios/7/evasi0n7_TaiG_1.0.1.zip
http://www.taig.com/archives/category/news
http://www.taig.com/archives/575
http://bbdown.iphonespirit.com/site/docpic/gongkaixin.jpg
http://www.taig.com/archives/575
http://www.taig.com/archives/579
http://www.taig.com/archives/575
http://www.taig.com/archives/570
http://www.taig.com/archives/548
http://www.taig.com/archives/253
http://www.taig.com/archives/251
http://www.taig.com/archives/249
http://www.taig.com/archives/247
http://www.taig.com/archives/241
http://js.pingguoyingyong.com/taiji-home/js/build.js

蘋果核的分發域名就是pingguoyingyong.com

而www.kuaiyong.com居然是同段的ip

root@tonyhack:/home/tony# host www.kuaiyong.com
www.kuaiyong.com has address 117.121.11.16
root@tonyhack:/home/tony# host js.pingguoyingyong.com
js.pingguoyingyong.com has address 117.121.11.32
root@tonyhack:/home/tony# host bbdown.iphonespirit.com
bbdown.iphonespirit.com is an alias for bbdown.iphonespirit.com.51ccdn.com.
bbdown.iphonespirit.com.51ccdn.com is an alias for c01.i08.sisyun.com.
c01.i08.sisyun.com is an alias for c01.i08.cncsd.hadns.net.
c01.i08.cncsd.hadns.net has address 61.156.242.76
c01.i08.cncsd.hadns.net has address 60.18.151.6
c01.i08.cncsd.hadns.net has address 60.210.10.77
c01.i08.cncsd.hadns.net has address 61.156.157.183

其中幾個可疑的網址 查詢後發現跟原本網路上查詢 已經不太一樣了，看來是有更新過

curl -s –head -H "Host:www.kuaiyong.com" 117.121.11.32
curl -s -H "Host:www.kuaiyong.com" 117.121.11.32 | grep '<title>'
curl -s -H "Host:nosuchhost.com" 117.121.11.32 | grep '<title>'

之前打開bbdown.iphonespirit.com，會發現一段告示 但目前已經無法開起網頁顯示403

猜測這次的jb程式可能有商業付費的可能性