用 https 打开京东跳转到 https://www.joybuy.com

劫持

打开

京东

运营商

82 条回复 • 2019-09-24 17:40:39 +08:00

1

charles83

2018-11-14 08:49:33 +08:00

我也一样，已经几天了，联通光纤。

2

kupo

2018-11-14 13:24:52 +08:00

我也一样，上海电信精品网。

3

astic

2018-11-14 14:20:37 +08:00

都被运营商劫持赚钱了，黑心

4

tyhunter

2018-11-14 16:51:18 +08:00

家里北京联通+公司北京教育信息网，都出现了这个问题
前期还怀疑是不是被扩展劫持了
看来是运营商搞的鬼

5

wangjincp

OP

2018-11-14 18:43:28 +08:00

@charles83 我用 HTTPS 也是这样，我搞不懂为啥。Https 都能劫持？

6

wangjincp

OP

2018-11-14 18:44:27 +08:00

注意，我是用 https 访问都能被劫持？你们也是用的 https 吗？ @kupo @astic @tyhunter

7

rootit

2018-11-14 18:53:24 +08:00

我擦我也是这种情况一模一样，地址都一样我已经给联通打电话了

8

tyhunter

2018-11-14 20:22:46 +08:00

@wangjincp #6 HTTPS 的京东链接一样被劫持，例如我打开这个链接 https://item.jd.com/4497321.html，一样先是跳到 rtbs24.com

9

wangjincp

OP

2018-11-14 20:30:01 +08:00

@tyhunter 我开始以为是我电脑中毒了，原来大家都一样，现在 https 都能劫持了，真牛 B，有没有大佬出来解释一下？？？

10

hcwhan

2018-11-14 22:53:17 +08:00

我也是怀疑是 chrome 插件的问题

要不看下有那个插件是都装了的

11

hcwhan

2018-11-14 22:55:04 +08:00

昨天禁用全部拓展后没复现

12

rootit

2018-11-15 10:05:00 +08:00

@hcwhan 知道是哪个插件了吗

13

Emory

2018-11-15 10:58:03 +08:00

我看到一个我也有的 Enhanced Steam，
估计是这个
一开始我本来怀疑是 giveaway.su

14

Emory

2018-11-15 11:00:05 +08:00

另外 jsonview 我也有，还有一个和楼上类似的 allow copy

15

tyhunter

2018-11-15 11:06:31 +08:00

@hcwhan #10
enhanced steam
evernote web clipper
lastpass
search the cureent site
stylus
tampermonkey
ublock
v2ex plus
哔哩哔哩猜你喜欢

准备逐一禁用看看

16

tracky

2018-11-15 12:30:04 +08:00

不是运营商劫持, 应该是 chrome 插件或者油猴脚本导致的。

我测试过 IE 正常, Chrome 安全模式正常。

装的插件太多, 一个个禁用太费时间了。

关键这个触发机制不太好琢磨, 一段时间不打开京东页面(时间我也不知道多久), 再次打开才会出现。

我看了一下 10 楼的插件列表, 一样的比较多。和 15 楼再对比筛选一下, 一样的只有 lastpass, tampermonkey 和 ublock

17

Emory

2018-11-15 13:34:51 +08:00

我也有 ublock，难道是它？

18

tracky

2018-11-15 13:59:59 +08:00

@Emory 我刚才试了, 禁用 tampermonkey 依然存在, 应该就是 ublock 和 lastpass 中间的一个呢

19

Emory

2018-11-15 14:00:31 +08:00

我没有 lastpass

20

tracky

2018-11-15 14:03:59 +08:00

@hcwhan
@Emory

应该就是 ublock 的锅, 我禁用正常了, 不过 ublock 里规则比较多, 还不好说是不是规则引起的

21

tai7sy

2018-11-15 14:09:04 +08:00

@hcwhan
Proxy SwitchyOmega
tampermonkey

油猴一个脚本也没装, 难道是油猴本身劫持的?

22

charles83

2018-11-15 14:26:43 +08:00

今天没有这个现象了

23

tai7sy

2018-11-15 14:37:56 +08:00

@charles83 我刚才还被劫持, 无法重现, 怕是这个插件最近更新了? 随机劫持?

24

tracky

2018-11-15 14:42:21 +08:00

@tai7sy 你有装 ublock 吗?

25

beiousishen

2018-11-15 16:00:26 +08:00

我的 chorme 也是这样.
目前怀疑是广告终结者 3.2.7
禁用后后目前正常了.
不清楚是扩展自身还是规则.

26

mortal

2018-11-15 20:05:03 +08:00

我也是这样。密切关注

27

lspnicol

2018-11-15 22:27:56 +08:00

@beiousishen

这个跳转不是每次都跳转，是隔一段时间打开京东跳转，然后一段时间内不会再跳了，所以你得隔一段时间才知道是不是正常了……

另外我没有广告终结者，没有 ublock 什么的，症状已经好些天了

28

tyhunter

2018-11-15 22:44:49 +08:00

@tracky #20
@Emory #17

不是 ublock 的锅，禁用 ublock 后，点击张大妈的链接还是会跳到 rtsb24
就像 @lspnicol #27 说的，很诡异的是跳一次后再点击就不跳了，需要过段时间才会继续跳

29

tracky

2018-11-16 01:39:52 +08:00

@tyhunter 是的, 我晚上又测试了好久, 确实不是 ublock 的锅, 还是会跳, 不知道什么时候跳。

30

hcwhan

2018-11-16 09:32:36 +08:00

@tracky
@tyhunter
@lspnicol
应该还是扩展的问题全部禁了就 ok

31

lspnicol

2018-11-16 09:50:26 +08:00

隔了一个晚上了，想着应该会跳转了。于是先用 IE 打开京东，没跳转，再用 chrome 无痕模式打开京东，也没跳转，再用正常 chrome 打开，果然跳转了。

看来应该是 chrome 哪里问题，但是我跟楼上的同学们的插件都对不上啊，无法确定是哪个插件问题或者 chrome 其他哪里问题

32

beiousishen

2018-11-16 11:40:23 +08:00

@lspnicol
是的.不是每次都跳.所以很难测.只要关于 JD 的网址,一段时间不动后刷新就会强制定位到 rtsb24
现在我这的测试的结果是.
不是广告终结者.
而是
Video Downloader GetThemAll
这个
只要禁止以后,就不会跳转到 rtsb24.但是只要一开启,就会跳转到 rtsb24.

33

lspnicol

2018-11-16 11:45:19 +08:00

@beiousishen

我没有 Video Downloader GetThemAll，同类的只有 Video Downloader professional，我看了一下我这插件的更新日志，最后一次更新是 2018 年 8 月 1 日，而这跳转是最近的事情，所以我应该怪不到 Video Downloader professional 上。另外我这插件平时都是禁用状态，有用才会开启，总是我的问题与这个无关……

真是难搞啊，插件互相对比下来，排除不出来，都没有交集啊

34

beiousishen

2018-11-16 11:49:08 +08:00

或者说,有其他插件刚好在我禁止 Video Downloader GetThemAll 后没有触发跳转规则.
而我认为测试完结后,启动 Video Downloader GetThemAll 后又触发了跳转规则.
但以目前的情况来看.Video Downloader GetThemAll 有非常大的嫌疑.
关闭前.1 个小时就会被跳转一次.关闭后,16 小时测试时间内.未跳转.

35

beiousishen

2018-11-16 11:51:54 +08:00

可能是这些出问题的扩展调用了同一个网页,或者调用同一个参数.
可能不是一个扩展出现问题,而是这些扩展调用的外部网页或者 API 出现了问题.
所以导致不同的扩展都出现了相同的问题.

36

beiousishen

2018-11-16 11:59:20 +08:00

我放出我的所有扩展,给大家可以用来对比排除.
插件名称开启关闭状态
Chrono 下载管理器 OFF
Flash Video Downloader OFF
Free Video Downloader OFF
Google 翻译 OFF
Keepa - Amazon Price Tracker OFF
OneTab ON
Proxy SwitchyOmega ON
Video Downloader GetThemAll OFF
为知笔记网页剪辑器 OFF
书签管理器快速拨号| Papaly ON
广告终结者 ON
懒人比价购物助手 ON
捕捉网页截图 - FireShot 的 ON
方片收集 OFF
以上这个状态 16 小时内未触发跳转

但是下面这两个,是一家公司的扩展
Flash Video Downloader
Video Downloader GetThemAll
开启后,1 小时内有一次触发跳转.
但是,情况也有可能是下面这种.
或者说,有其他插件刚好在我禁止 Video Downloader GetThemAll 后没有触发跳转规则.
而我认为测试完结后,启动 Video Downloader GetThemAll 后又触发了跳转规则.
但以目前的情况来看.Video Downloader GetThemAll 有非常大的嫌疑.

37

Emory

2018-11-16 14:41:55 +08:00

见了鬼了，楼上的插件我一个也没有~不过我禁用了 ublock 两天了还没发生过跳转的问题

38

tracky

2018-11-16 16:44:40 +08:00

我准备把最近两周安装或者更新的扩展全部禁用掉, 再试试

39

lmusicwq

2018-11-16 19:41:03 +08:00

我也试试禁用 ublock 试试

40

lspnicol

2018-11-17 10:21:31 +08:00

我压根没有 ublock ……

41

beiousishen

2018-11-17 15:54:44 +08:00

Flash Video Downloader
Video Downloader GetThemAll
禁用两天......两天内已经不触发跳转了.
我 Chrome 的原因看来已经找到了.

42

tracky

2018-11-17 20:37:17 +08:00

@beiousishen 这两个我都没有

43

lspnicol

2018-11-17 21:09:04 +08:00

@beiousishen 这两个我也没有

44

tracky

2018-11-18 00:08:43 +08:00

4

我总结出测试方法了。

一、保证一小时以上不访问京东。
二、打开 chrome, 禁用全部扩展。
三、打开京东, 查看是否跳转。如果跳转, 那就再次等待一个小时或更长时间。
四、依次启用扩展, 每次启用一个, 启用后重新打开京东, 观察有没有跳转。
五、没有则继续启用下一个扩展, 如果跳转则可确认是哪个扩展出现问题。

我经过测试, 发现“ User-Agent Switcher for Google Chrome ”( https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake)这个扩展存在问题。

如果有跟我一样的, 可以尝试禁用这个扩展试试。

从上面的回复观察, 好像这次出问题的不是一个扩展, 而是好几个, 原因未知。

45

beiousishen

2018-11-18 01:10:23 +08:00

@tracky @lspnicol
我的 Chrome 找到问题是
Flash Video Downloader
Video Downloader GetThemAll
这两个扩展
根据其他楼层回复来看.不止是一个扩展出了问题.
可能是这些出问题的扩展都使用了同一个模块,或者调用了同一个 API,亦或是直接复制了同一段成品代码.
如果这些扩展都是同一个问题.那基本能说明不是一个扩展本地的代码有问题,而是这些扩展调用的地方有问题.
或许这个东西已经埋藏了很久.但是最近这些被调用的地方才被激活了.不一定要最近更新过扩展版本的扩展才会出问题.

46

qidaguai

2018-11-19 09:56:44 +08:00

还是没有找到问题。哎~

47

Emory

2018-11-19 10:39:25 +08:00

的确有可能像 @beiousishen 所说，是某个 chrome 的 api 造成的，因为全局搜索那几个关键字，整个 chrome 下都搜不到

48

Totato5749

2018-11-19 11:16:58 +08:00

@tracky 我也装了这个但是我可以明确的是我这个一直装了关了没用也发生了跳转

49

Totato5749

2018-11-19 11:23:23 +08:00

1

我先给大家一个建议下次打开京东前先打开 chrome 的调试，在 network 里面勾上 preserve log。然后打开京东，如果发生了跳转，看看有没有跳转的信息。

50

tracky

2018-11-19 13:51:34 +08:00

@Totato5749 只能全部禁用, 一个个开启测试。好像每个人都不同。

51

hcwhan

2018-11-19 23:42:01 +08:00

我也是禁用 Video Downloader GetThemAll 后 3 天没出现了

52

Totato5749

2018-11-20 00:44:38 +08:00

3

chrome://net-internals/#events 配合修改系统时间抓到了一次

在我这似乎是 BetterHistory 这个扩展搞的鬼

379947: URL_REQUEST
https://www.jd.com/
Start Time: 2018-11-21 00:32:46.413

t=6216 [st= 0] +REQUEST_ALIVE [dt=2848]
--> priority = "HIGHEST"
--> url = "https://www.jd.com/"
t=6216 [st= 0] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=3]
t=6216 [st= 0] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=6217 [st= 1] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=6217 [st= 1] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=6218 [st= 2] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6218 [st= 2] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6218 [st= 2] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6219 [st= 3] CHROME_EXTENSION_REDIRECTED_REQUEST
--> extension_id = "obciceimmggglbmelaidpjlmodcebijb"
t=6219 [st= 3] CHROME_EXTENSION_REDIRECTED_REQUEST
--> extension_id = "obciceimmggglbmelaidpjlmodcebijb"
t=6219 [st= 3] -NETWORK_DELEGATE_BEFORE_URL_REQUEST
t=6219 [st= 3] +URL_REQUEST_START_JOB [dt=4]
--> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE)
--> method = "GET"
--> url = "https://www.jd.com/"
t=6219 [st= 3] URL_REQUEST_REDIRECT_JOB
--> reason = "Delegate"
t=6219 [st= 3] URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED
--> HTTP/1.1 307 Internal Redirect
Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F
Non-Authoritative-Reason: Delegate
t=6219 [st= 3] +URL_REQUEST_DELEGATE_RECEIVED_REDIRECT [dt=4]
t=6219 [st= 3] DELEGATE_INFO [dt=4]
--> delegate_blocked_by = "MojoAsyncResourceHandler"
t=6223 [st= 7] -URL_REQUEST_DELEGATE_RECEIVED_REDIRECT
t=6223 [st= 7] URL_REQUEST_REDIRECTED
--> location = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F"
t=6223 [st= 7] -URL_REQUEST_START_JOB
t=6223 [st= 7] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=4]
t=6224 [st= 8] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=6225 [st= 9] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=6225 [st= 9] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=6225 [st= 9] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6226 [st= 10] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6227 [st= 11] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6227 [st= 11] -NETWORK_DELEGATE_BEFORE_URL_REQUEST
t=6227 [st= 11] +URL_REQUEST_START_JOB [dt=2827]
--> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE)
--> method = "GET"
--> url = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F"
t=6227 [st= 11] +NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=2]
t=6227 [st= 11] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6228 [st= 12] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Better History ”"
t=6229 [st= 13] -NETWORK_DELEGATE_BEFORE_START_TRANSACTION
t=6229 [st= 13] HTTP_CACHE_GET_BACKEND [dt=0]
t=6229 [st= 13] HTTP_CACHE_OPEN_ENTRY [dt=0]
t=6229 [st= 13] HTTP_CACHE_ADD_TO_ENTRY [dt=0]
t=6229 [st= 13] HTTP_CACHE_READ_INFO [dt=1]
t=6230 [st= 14] +HTTP_STREAM_REQUEST [dt=542]
t=6230 [st= 14] HTTP_STREAM_JOB_CONTROLLER_BOUND
--> source_dependency = 379949 (HTTP_STREAM_JOB_CONTROLLER)
t=6772 [st= 556] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 379950 (HTTP_STREAM_JOB)
t=6772 [st= 556] -HTTP_STREAM_REQUEST
t=6772 [st= 556] +HTTP_TRANSACTION_SEND_REQUEST [dt=0]
t=6772 [st= 556] HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET /?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F HTTP/1.1
Host: rtbs24.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
t=6772 [st= 556] -HTTP_TRANSACTION_SEND_REQUEST
t=6772 [st= 556] +HTTP_TRANSACTION_READ_HEADERS [dt=2261]
t=6772 [st= 556] HTTP_STREAM_PARSER_READ_HEADERS [dt=2261]
t=9033 [st=2817] HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Nov 2018 16:32:53 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.37
Content-Encoding: gzip
t=9033 [st=2817] -HTTP_TRANSACTION_READ_HEADERS
t=9033 [st=2817] HTTP_CACHE_WRITE_INFO [dt=0]
t=9033 [st=2817] HTTP_CACHE_WRITE_DATA [dt=1]
t=9034 [st=2818] HTTP_CACHE_WRITE_INFO [dt=0]
t=9034 [st=2818] +NETWORK_DELEGATE_HEADERS_RECEIVED [dt=20]
t=9034 [st=2818] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ uBlock Origin ”"
t=9035 [st=2819] DELEGATE_INFO [dt=19]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=9054 [st=2838] -NETWORK_DELEGATE_HEADERS_RECEIVED
t=9054 [st=2838] URL_REQUEST_FILTERS_SET
--> filters = "GZIP"
t=9054 [st=2838] -URL_REQUEST_START_JOB
t=9055 [st=2839] +URL_REQUEST_DELEGATE_RESPONSE_STARTED [dt=8]
t=9055 [st=2839] DELEGATE_INFO [dt=8]
--> delegate_blocked_by = "MojoAsyncResourceHandler"
t=9063 [st=2847] -URL_REQUEST_DELEGATE_RESPONSE_STARTED
t=9063 [st=2847] HTTP_TRANSACTION_READ_BODY [dt=0]
t=9063 [st=2847] URL_REQUEST_JOB_BYTES_READ
--> byte_count = 216
t=9063 [st=2847] URL_REQUEST_JOB_FILTERED_BYTES_READ
--> byte_count = 509
t=9063 [st=2847] HTTP_TRANSACTION_READ_BODY [dt=0]
t=9064 [st=2848] -REQUEST_ALIVE

53

Totato5749

2018-11-20 01:15:34 +08:00

看了一下这个 Better History，居然在扩展商店已经下架了。。。。似乎作者重新申请了个账号重新上架了......

感觉还是有理由怀疑它的

54

Totato5749

2018-11-20 01:20:07 +08:00

1

况且被我抓到石锤，谷歌其扩展 id：obciceimmggglbmelaidpjlmodcebijb 发现早有劫持请求的前科了 https://www.reddit.com/r/techsupport/comments/6237fp/windows_defender_fake_zeus_virus_hijack_in_chrome/

大家可以参考我的做法找到劫持请求的扩展，我看你们也没有装 Better History，所以很可能你们是别的扩展干的。建议看看你们怀疑的对象在 chrome 扩展商店里面还在上架没有

55

rootit

2018-11-20 09:29:43 +08:00

1

按楼上的方法找到了基本确定是 User-Agent Switcher
然后搜索了下 User-Agent Switcher 都说是木马
此扩展 id：ffhkkpnppgnfaobgihpdblnhmmbodake

注意看—= CHROME_EXTENSION_REDIRECTED_REQUEST 这里

最后：WQNMLGB

t=37261 [st= 0] +REQUEST_ALIVE [dt=3841]
--> priority = "HIGHEST"
--> url = "https://www.jd.com/"
t=37262 [st= 1] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=11]
t=37262 [st= 1] DELEGATE_INFO [dt=10]
--> delegate_blocked_by = "扩展程序“ User-Agent Switcher for Google Chrome ”"
t=37272 [st= 11] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ IDM Integration Module ”"
t=37272 [st= 11] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ IDM Integration Module ”"
t=37273 [st= 12] CHROME_EXTENSION_REDIRECTED_REQUEST
--> extension_id = "ffhkkpnppgnfaobgihpdblnhmmbodake"
t=37273 [st= 12] -NETWORK_DELEGATE_BEFORE_URL_REQUEST
t=37273 [st= 12] +URL_REQUEST_START_JOB [dt=5]
--> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE)
--> method = "GET"
--> url = "https://www.jd.com/"
t=37273 [st= 12] URL_REQUEST_REDIRECT_JOB
--> reason = "Delegate"
t=37273 [st= 12] URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED
--> HTTP/1.1 307 Internal Redirect
Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F
Non-Authoritative-Reason: Delegate
t=37273 [st= 12] +URL_REQUEST_DELEGATE_RECEIVED_REDIRECT [dt=5]
t=37274 [st= 13] DELEGATE_INFO [dt=4]
--> delegate_blocked_by = "MojoAsyncResourceHandler"
t=37278 [st= 17] -URL_REQUEST_DELEGATE_RECEIVED_REDIRECT
t=37278 [st= 17] URL_REQUEST_REDIRECTED
--> location = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F"
t=37278 [st= 17] -URL_REQUEST_START_JOB
t=37278 [st= 17] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=4]
t=37278 [st= 17] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ User-Agent Switcher for Google Chrome ”"
t=37279 [st= 18] DELEGATE_INFO [dt=3]
--> delegate_blocked_by = "扩展程序“ AdBlock ”"
t=37282 [st= 21] -NETWORK_DELEGATE_BEFORE_URL_REQUEST
t=37282 [st= 21] +URL_REQUEST_START_JOB [dt=3804]
--> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE)
--> method = "GET"
--> url = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F"
t=37282 [st= 21] +NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=1]
t=37282 [st= 21] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ User-Agent Switcher for Google Chrome ”"
t=37283 [st= 22] -NETWORK_DELEGATE_BEFORE_START_TRANSACTION
t=37283 [st= 22] HTTP_CACHE_GET_BACKEND [dt=0]
t=37283 [st= 22] HTTP_CACHE_OPEN_ENTRY [dt=2]
t=37285 [st= 24] HTTP_CACHE_ADD_TO_ENTRY [dt=0]
t=37285 [st= 24] HTTP_CACHE_READ_INFO [dt=0]
t=37285 [st= 24] +HTTP_STREAM_REQUEST [dt=2644]
t=37285 [st= 24] HTTP_STREAM_JOB_CONTROLLER_BOUND
--> source_dependency = 30866 (HTTP_STREAM_JOB_CONTROLLER)
t=39929 [st=2668] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 31013 (HTTP_STREAM_JOB)
t=39929 [st=2668] -HTTP_STREAM_REQUEST
t=39929 [st=2668] +HTTP_TRANSACTION_SEND_REQUEST [dt=0]
t=39929 [st=2668] HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F HTTP/1.1
Host: rtbs24.com
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

56

beiousishen

2018-11-20 11:55:44 +08:00

@Emory 我的意思并不是 Chrome 的 API.而是有些扩展需要联网并请求第三方服务器支持服务的 API 接口.有人恶意在接口上设定或者激活了以前就埋下的跳转激活.而这些扩展的作者在知情或者不知情的情况下,调用了这些服务接口以达到扩展能达到的功能.因为这些 API 有些是现成的,某些扩展作者并不会额外花这个成本去自己搭建服务器.而这些被调用的 API,要么被入侵后修改了跳转地址,要么一开始就已经被埋藏了.就等着这种双 11 618 的时候激活后获取大量用户访问连接以获取推广费用.
但我更相信
Flash Video Downloader
Video Downloader GetThemAll
这两个是前者.
在 Google 后发现这两个有前科.应该是故意就埋下去的.

或许所有扩展可能有"隐藏功能"就看有没有激活了.

57

Emory

2018-11-20 15:54:22 +08:00

最近 chrome 插件也全部更新了权限要求，都要求文件读写什么的，感觉要尽量少装插件了

58

lspnicol

2018-11-21 10:24:03 +08:00

4

@Totato5749 非常感谢这位同学的办法，我照着你的办法也试了一下，乍一看以为是 tampermonkey，但是仔细看看，
t=5572 [st= 11] CHROME_EXTENSION_REDIRECTED_REQUEST
--> extension_id = "abidndjnodakeaicodfpgcnlkpppapah"

按这个 id 去自己扩展里面找了一下，结果是 Allow Copy，然后去 chrome 扩展商店看了一下，同样也是早就下架了的，符合你说的下架了的比较可疑的猜测

下面是完整日志

75104: URL_REQUEST
https://www.jd.com/
Start Time: 2018-11-22 10:05:45.623
t=5561 [st= 0] +REQUEST_ALIVE [dt=989]
--> priority = "HIGHEST"
--> url = "https://www.jd.com/"
t=5562 [st= 1] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=10]
t=5562 [st= 1] DELEGATE_INFO [dt=3]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=5565 [st= 4] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=5566 [st= 5] DELEGATE_INFO [dt=6]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=5572 [st= 11] CHROME_EXTENSION_REDIRECTED_REQUEST
--> extension_id = "abidndjnodakeaicodfpgcnlkpppapah"
t=5572 [st= 11] -NETWORK_DELEGATE_BEFORE_URL_REQUEST
t=5572 [st= 11] +URL_REQUEST_START_JOB [dt=2]
--> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE)
--> method = "GET"
--> url = "https://www.jd.com/"
t=5572 [st= 11] URL_REQUEST_REDIRECT_JOB
--> reason = "Delegate"
t=5572 [st= 11] URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED
--> HTTP/1.1 307 Internal Redirect
Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F
Non-Authoritative-Reason: Delegate
t=5572 [st= 11] +URL_REQUEST_DELEGATE_RECEIVED_REDIRECT [dt=1]
t=5573 [st= 12] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "MojoAsyncResourceHandler"
t=5573 [st= 12] -URL_REQUEST_DELEGATE_RECEIVED_REDIRECT
t=5574 [st= 13] URL_REQUEST_REDIRECTED
--> location = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F"
t=5574 [st= 13] -URL_REQUEST_START_JOB
t=5574 [st= 13] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=3]
t=5574 [st= 13] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=5575 [st= 14] DELEGATE_INFO [dt=0]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=5575 [st= 14] DELEGATE_INFO [dt=2]
--> delegate_blocked_by = "扩展程序“ Allow Copy ”"
t=5577 [st= 16] -NETWORK_DELEGATE_BEFORE_URL_REQUEST
t=5577 [st= 16] +URL_REQUEST_START_JOB [dt=960]
--> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE)
--> method = "GET"
--> url = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F"
t=5577 [st= 16] NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=0]
t=5577 [st= 16] HTTP_CACHE_GET_BACKEND [dt=0]
t=5577 [st= 16] HTTP_CACHE_OPEN_ENTRY [dt=0]
--> net_error = -2 (ERR_FAILED)
t=5577 [st= 16] HTTP_CACHE_CREATE_ENTRY [dt=0]
t=5577 [st= 16] HTTP_CACHE_ADD_TO_ENTRY [dt=0]
t=5577 [st= 16] +HTTP_STREAM_REQUEST [dt=2]
t=5577 [st= 16] HTTP_STREAM_JOB_CONTROLLER_BOUND
--> source_dependency = 75107 (HTTP_STREAM_JOB_CONTROLLER)
t=5579 [st= 18] HTTP_STREAM_REQUEST_BOUND_TO_JOB
--> source_dependency = 75108 (HTTP_STREAM_JOB)
t=5579 [st= 18] -HTTP_STREAM_REQUEST
t=5580 [st= 19] +HTTP_TRANSACTION_SEND_REQUEST [dt=0]
t=5580 [st= 19] HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> GET http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F HTTP/1.1
Host: rtbs24.com
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
t=5580 [st= 19] -HTTP_TRANSACTION_SEND_REQUEST
t=5580 [st= 19] +HTTP_TRANSACTION_READ_HEADERS [dt=954]
t=5580 [st= 19] HTTP_STREAM_PARSER_READ_HEADERS [dt=953]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=1]
t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0]
t=6534 [st=973] HTTP_TRANSACTION_READ_RESPONSE_HEADERS
--> HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Encoding: gzip
Content-Type: text/html
Date: Wed, 21 Nov 2018 02:05:53 GMT
Keep-Alive: timeout=38
Server: nginx
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.37
t=6534 [st=973] -HTTP_TRANSACTION_READ_HEADERS
t=6534 [st=973] HTTP_CACHE_WRITE_INFO [dt=0]
t=6534 [st=973] HTTP_CACHE_WRITE_DATA [dt=0]
t=6534 [st=973] HTTP_CACHE_WRITE_INFO [dt=0]
t=6534 [st=973] +NETWORK_DELEGATE_HEADERS_RECEIVED [dt=3]
t=6534 [st=973] DELEGATE_INFO [dt=2]
--> delegate_blocked_by = "扩展程序“ Tampermonkey ”"
t=6536 [st=975] DELEGATE_INFO [dt=1]
--> delegate_blocked_by = "扩展程序“ AdBlock ”"
t=6537 [st=976] -NETWORK_DELEGATE_HEADERS_RECEIVED
t=6537 [st=976] URL_REQUEST_FILTERS_SET
--> filters = "GZIP"
t=6537 [st=976] -URL_REQUEST_START_JOB
t=6537 [st=976] +URL_REQUEST_DELEGATE_RESPONSE_STARTED [dt=11]
t=6537 [st=976] DELEGATE_INFO [dt=11]
--> delegate_blocked_by = "MojoAsyncResourceHandler"
t=6548 [st=987] -URL_REQUEST_DELEGATE_RESPONSE_STARTED
t=6548 [st=987] HTTP_TRANSACTION_READ_BODY [dt=0]
t=6549 [st=988] URL_REQUEST_JOB_BYTES_READ
--> byte_count = 216
t=6549 [st=988] URL_REQUEST_JOB_FILTERED_BYTES_READ
--> byte_count = 509
t=6549 [st=988] HTTP_TRANSACTION_READ_BODY [dt=0]
t=6550 [st=989] -REQUEST_ALIVE