最近偶尔打开京东的时候,用 https 打开直接跳转到 https://www.joybuy.com
具体跳转是:
2、浏览器加载很久,然后跳转至: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F
这个页面的源代码是:
<meta content="0; URL=https://ytthn.com/click-IQL4686A-HFDQCIIE?bt=25&tl=1&sa=116&url=https://www.jd.com/" http-equiv="Refresh"><script>window.location.href="https://ytthn.com/click-IQL4686A-HFDQCIIE?bt=25&tl=1&sa=116&url=https://www.jd.com/";</script>click here<script>self.location="https://ytthn.com/click-IQL4686A-HFDQCIIE?bt=25&tl=1&sa=116&url=https://www.jd.com/";</script>3、然后跳转至京东国外网站:
https://www.joybuy.com/?cps=63167206.1210749820&utm_source=Aff38&utm_medium=affiliate&utm_campaign=48281 带推广号
请问我是中毒了还是运营商劫持?偶尔打开就会出现这个情况,我在断网的时候,打开就不会跳转。求解一下!!! 现在运营商已经劫持了 Https 了吗???
1
charles83 2018-11-14 08:49:33 +08:00
我也一样,已经几天了,联通光纤。
|
2
kupo 2018-11-14 13:24:52 +08:00
我也一样,上海电信精品网。
|
3
astic 2018-11-14 14:20:37 +08:00
都被运营商劫持赚钱了,黑心
|
4
tyhunter 2018-11-14 16:51:18 +08:00
家里北京联通+公司北京教育信息网,都出现了这个问题
前期还怀疑是不是被扩展劫持了 看来是运营商搞的鬼 |
6
wangjincp OP |
7
rootit 2018-11-14 18:53:24 +08:00
我擦 我也是这种情况 一模一样,地址都一样 我已经给联通打电话了
|
8
tyhunter 2018-11-14 20:22:46 +08:00
|
9
wangjincp OP @tyhunter 我开始以为是我电脑中毒了,原来大家都一样,现在 https 都能劫持了,真牛 B,有没有大佬出来解释一下???
|
10
hcwhan 2018-11-14 22:53:17 +08:00
|
11
hcwhan 2018-11-14 22:55:04 +08:00
昨天禁用全部拓展后没复现
|
13
Emory 2018-11-15 10:58:03 +08:00
|
14
Emory 2018-11-15 11:00:05 +08:00
另外 jsonview 我也有,还有一个和楼上类似的 allow copy
|
15
tyhunter 2018-11-15 11:06:31 +08:00
@hcwhan #10
enhanced steam evernote web clipper lastpass search the cureent site stylus tampermonkey ublock v2ex plus 哔哩哔哩猜你喜欢 准备逐一禁用看看 |
16
tracky 2018-11-15 12:30:04 +08:00
不是运营商劫持, 应该是 chrome 插件或者油猴脚本导致的。
我测试过 IE 正常, Chrome 安全模式正常。 装的插件太多, 一个个禁用太费时间了。 关键这个触发机制不太好琢磨, 一段时间不打开京东页面(时间我也不知道多久), 再次打开才会出现。 我看了一下 10 楼的插件列表, 一样的比较多。和 15 楼再对比筛选一下, 一样的只有 lastpass, tampermonkey 和 ublock |
17
Emory 2018-11-15 13:34:51 +08:00
我也有 ublock,难道是它?
|
18
tracky 2018-11-15 13:59:59 +08:00
@Emory 我刚才试了, 禁用 tampermonkey 依然存在, 应该就是 ublock 和 lastpass 中间的一个呢
|
19
Emory 2018-11-15 14:00:31 +08:00
我没有 lastpass
|
20
tracky 2018-11-15 14:03:59 +08:00
|
22
charles83 2018-11-15 14:26:43 +08:00
今天没有这个现象了
|
25
beiousishen 2018-11-15 16:00:26 +08:00
我的 chorme 也是这样.
目前怀疑是广告终结者 3.2.7 禁用后后 目前正常了. 不清楚是扩展自身还是规则. |
26
mortal 2018-11-15 20:05:03 +08:00
我也是这样。密切关注
|
27
lspnicol 2018-11-15 22:27:56 +08:00
@beiousishen
这个跳转不是每次都跳转,是隔一段时间打开京东跳转,然后一段时间内不会再跳了,所以你得隔一段时间才知道是不是正常了…… 另外我没有广告终结者,没有 ublock 什么的,症状已经好些天了 |
28
tyhunter 2018-11-15 22:44:49 +08:00
|
31
lspnicol 2018-11-16 09:50:26 +08:00
隔了一个晚上了,想着应该会跳转了。于是先用 IE 打开京东,没跳转,再用 chrome 无痕模式打开京东,也没跳转,再用正常 chrome 打开,果然跳转了。
看来应该是 chrome 哪里问题,但是我跟楼上的同学们的插件都对不上啊,无法确定是哪个插件问题或者 chrome 其他哪里问题 |
32
beiousishen 2018-11-16 11:40:23 +08:00
@lspnicol
是的.不是每次都跳.所以很难测.只要关于 JD 的网址,一段时间不动后刷新就会强制定位到 rtsb24 现在我这的测试的结果是. 不是广告终结者. 而是 Video Downloader GetThemAll 这个 只要禁止以后,就不会跳转到 rtsb24.但是只要一开启,就会跳转到 rtsb24. |
33
lspnicol 2018-11-16 11:45:19 +08:00
@beiousishen
我没有 Video Downloader GetThemAll,同类的只有 Video Downloader professional,我看了一下我这插件的更新日志,最后一次更新是 2018 年 8 月 1 日,而这跳转是最近的事情,所以我应该怪不到 Video Downloader professional 上。另外我这插件平时都是禁用状态,有用才会开启,总是我的问题与这个无关…… 真是难搞啊,插件互相对比下来,排除不出来,都没有交集啊 |
34
beiousishen 2018-11-16 11:49:08 +08:00
或者说,有其他插件刚好在我禁止 Video Downloader GetThemAll 后没有触发跳转规则.
而我认为测试完结后,启动 Video Downloader GetThemAll 后又触发了跳转规则. 但以目前的情况来看.Video Downloader GetThemAll 有非常大的嫌疑. 关闭前.1 个小时就会被跳转一次.关闭后,16 小时测试时间内.未跳转. |
35
beiousishen 2018-11-16 11:51:54 +08:00
可能是这些出问题的扩展调用了同一个网页,或者调用同一个参数.
可能不是一个扩展出现问题,而是这些扩展调用的外部网页或者 API 出现了问题. 所以导致不同的扩展都出现了相同的问题. |
36
beiousishen 2018-11-16 11:59:20 +08:00
我放出我的所有扩展,给大家可以用来对比排除.
插件名称 开启关闭状态 Chrono 下载管理器 OFF Flash Video Downloader OFF Free Video Downloader OFF Google 翻译 OFF Keepa - Amazon Price Tracker OFF OneTab ON Proxy SwitchyOmega ON Video Downloader GetThemAll OFF 为知笔记网页剪辑器 OFF 书签管理器快速拨号| Papaly ON 广告终结者 ON 懒人比价购物助手 ON 捕捉网页截图 - FireShot 的 ON 方片收集 OFF 以上这个状态 16 小时内未触发跳转 但是下面这两个,是一家公司的扩展 Flash Video Downloader Video Downloader GetThemAll 开启后,1 小时内有一次触发跳转. 但是,情况也有可能是下面这种. 或者说,有其他插件刚好在我禁止 Video Downloader GetThemAll 后没有触发跳转规则. 而我认为测试完结后,启动 Video Downloader GetThemAll 后又触发了跳转规则. 但以目前的情况来看.Video Downloader GetThemAll 有非常大的嫌疑. |
37
Emory 2018-11-16 14:41:55 +08:00
见了鬼了,楼上的插件我一个也没有~不过我禁用了 ublock 两天了还没发生过跳转的问题
|
38
tracky 2018-11-16 16:44:40 +08:00
我准备把最近两周安装或者更新的扩展全部禁用掉, 再试试
|
39
lmusicwq 2018-11-16 19:41:03 +08:00
我也试试禁用 ublock 试试
|
40
lspnicol 2018-11-17 10:21:31 +08:00
我压根没有 ublock ……
|
41
beiousishen 2018-11-17 15:54:44 +08:00
Flash Video Downloader
Video Downloader GetThemAll 禁用两天......两天内已经不触发跳转了. 我 Chrome 的原因看来已经找到了. |
42
tracky 2018-11-17 20:37:17 +08:00
@beiousishen 这两个我都没有
|
43
lspnicol 2018-11-17 21:09:04 +08:00
@beiousishen 这两个我也没有
|
44
tracky 2018-11-18 00:08:43 +08:00 4
我总结出测试方法了。
一、保证一小时以上不访问京东。 二、打开 chrome, 禁用全部扩展。 三、打开京东, 查看是否跳转。如果跳转, 那就再次等待一个小时或更长时间。 四、依次启用扩展, 每次启用一个, 启用后重新打开京东, 观察有没有跳转。 五、没有则继续启用下一个扩展, 如果跳转则可确认是哪个扩展出现问题。 我经过测试, 发现“ User-Agent Switcher for Google Chrome ”( https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake)这个扩展存在问题。 如果有跟我一样的, 可以尝试禁用这个扩展试试。 从上面的回复观察, 好像这次出问题的不是一个扩展, 而是好几个, 原因未知。 |
45
beiousishen 2018-11-18 01:10:23 +08:00
|
46
qidaguai 2018-11-19 09:56:44 +08:00
还是没有找到问题。哎~
|
47
Emory 2018-11-19 10:39:25 +08:00
的确有可能像 @beiousishen 所说,是某个 chrome 的 api 造成的,因为全局搜索那几个关键字,整个 chrome 下都搜不到
|
48
Totato5749 2018-11-19 11:16:58 +08:00
@tracky 我也装了这个 但是我可以明确的是 我这个一直装了关了没用 也发生了跳转
|
49
Totato5749 2018-11-19 11:23:23 +08:00 1
我先给大家一个建议 下次打开京东前先打开 chrome 的调试,在 network 里面勾上 preserve log。 然后打开京东,如果发生了跳转,看看有没有跳转的信息。
|
50
tracky 2018-11-19 13:51:34 +08:00
@Totato5749 只能全部禁用, 一个个开启测试。好像每个人都不同。
|
51
hcwhan 2018-11-19 23:42:01 +08:00
我也是禁用 Video Downloader GetThemAll 后 3 天没出现了
|
52
Totato5749 2018-11-20 00:44:38 +08:00 3
chrome://net-internals/#events 配合修改系统时间抓到了一次
在我这似乎是 BetterHistory 这个扩展搞的鬼 379947: URL_REQUEST https://www.jd.com/ Start Time: 2018-11-21 00:32:46.413 t=6216 [st= 0] +REQUEST_ALIVE [dt=2848] --> priority = "HIGHEST" --> url = "https://www.jd.com/" t=6216 [st= 0] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=3] t=6216 [st= 0] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=6217 [st= 1] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=6217 [st= 1] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=6218 [st= 2] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6218 [st= 2] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6218 [st= 2] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6219 [st= 3] CHROME_EXTENSION_REDIRECTED_REQUEST --> extension_id = "obciceimmggglbmelaidpjlmodcebijb" t=6219 [st= 3] CHROME_EXTENSION_REDIRECTED_REQUEST --> extension_id = "obciceimmggglbmelaidpjlmodcebijb" t=6219 [st= 3] -NETWORK_DELEGATE_BEFORE_URL_REQUEST t=6219 [st= 3] +URL_REQUEST_START_JOB [dt=4] --> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE) --> method = "GET" --> url = "https://www.jd.com/" t=6219 [st= 3] URL_REQUEST_REDIRECT_JOB --> reason = "Delegate" t=6219 [st= 3] URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED --> HTTP/1.1 307 Internal Redirect Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F Non-Authoritative-Reason: Delegate t=6219 [st= 3] +URL_REQUEST_DELEGATE_RECEIVED_REDIRECT [dt=4] t=6219 [st= 3] DELEGATE_INFO [dt=4] --> delegate_blocked_by = "MojoAsyncResourceHandler" t=6223 [st= 7] -URL_REQUEST_DELEGATE_RECEIVED_REDIRECT t=6223 [st= 7] URL_REQUEST_REDIRECTED --> location = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F" t=6223 [st= 7] -URL_REQUEST_START_JOB t=6223 [st= 7] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=4] t=6224 [st= 8] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=6225 [st= 9] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=6225 [st= 9] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=6225 [st= 9] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6226 [st= 10] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6227 [st= 11] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6227 [st= 11] -NETWORK_DELEGATE_BEFORE_URL_REQUEST t=6227 [st= 11] +URL_REQUEST_START_JOB [dt=2827] --> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE) --> method = "GET" --> url = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F" t=6227 [st= 11] +NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=2] t=6227 [st= 11] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6228 [st= 12] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Better History ”" t=6229 [st= 13] -NETWORK_DELEGATE_BEFORE_START_TRANSACTION t=6229 [st= 13] HTTP_CACHE_GET_BACKEND [dt=0] t=6229 [st= 13] HTTP_CACHE_OPEN_ENTRY [dt=0] t=6229 [st= 13] HTTP_CACHE_ADD_TO_ENTRY [dt=0] t=6229 [st= 13] HTTP_CACHE_READ_INFO [dt=1] t=6230 [st= 14] +HTTP_STREAM_REQUEST [dt=542] t=6230 [st= 14] HTTP_STREAM_JOB_CONTROLLER_BOUND --> source_dependency = 379949 (HTTP_STREAM_JOB_CONTROLLER) t=6772 [st= 556] HTTP_STREAM_REQUEST_BOUND_TO_JOB --> source_dependency = 379950 (HTTP_STREAM_JOB) t=6772 [st= 556] -HTTP_STREAM_REQUEST t=6772 [st= 556] +HTTP_TRANSACTION_SEND_REQUEST [dt=0] t=6772 [st= 556] HTTP_TRANSACTION_SEND_REQUEST_HEADERS --> GET /?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F HTTP/1.1 Host: rtbs24.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 t=6772 [st= 556] -HTTP_TRANSACTION_SEND_REQUEST t=6772 [st= 556] +HTTP_TRANSACTION_READ_HEADERS [dt=2261] t=6772 [st= 556] HTTP_STREAM_PARSER_READ_HEADERS [dt=2261] t=9033 [st=2817] HTTP_TRANSACTION_READ_RESPONSE_HEADERS --> HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Nov 2018 16:32:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=5 Vary: Accept-Encoding X-Powered-By: PHP/5.6.37 Content-Encoding: gzip t=9033 [st=2817] -HTTP_TRANSACTION_READ_HEADERS t=9033 [st=2817] HTTP_CACHE_WRITE_INFO [dt=0] t=9033 [st=2817] HTTP_CACHE_WRITE_DATA [dt=1] t=9034 [st=2818] HTTP_CACHE_WRITE_INFO [dt=0] t=9034 [st=2818] +NETWORK_DELEGATE_HEADERS_RECEIVED [dt=20] t=9034 [st=2818] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ uBlock Origin ”" t=9035 [st=2819] DELEGATE_INFO [dt=19] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=9054 [st=2838] -NETWORK_DELEGATE_HEADERS_RECEIVED t=9054 [st=2838] URL_REQUEST_FILTERS_SET --> filters = "GZIP" t=9054 [st=2838] -URL_REQUEST_START_JOB t=9055 [st=2839] +URL_REQUEST_DELEGATE_RESPONSE_STARTED [dt=8] t=9055 [st=2839] DELEGATE_INFO [dt=8] --> delegate_blocked_by = "MojoAsyncResourceHandler" t=9063 [st=2847] -URL_REQUEST_DELEGATE_RESPONSE_STARTED t=9063 [st=2847] HTTP_TRANSACTION_READ_BODY [dt=0] t=9063 [st=2847] URL_REQUEST_JOB_BYTES_READ --> byte_count = 216 t=9063 [st=2847] URL_REQUEST_JOB_FILTERED_BYTES_READ --> byte_count = 509 t=9063 [st=2847] HTTP_TRANSACTION_READ_BODY [dt=0] t=9064 [st=2848] -REQUEST_ALIVE |
53
Totato5749 2018-11-20 01:15:34 +08:00
看了一下这个 Better History,居然在扩展商店已经下架了。。。。似乎作者重新申请了个账号重新上架了......
感觉还是有理由怀疑它的 |
54
Totato5749 2018-11-20 01:20:07 +08:00 1
况且被我抓到石锤,谷歌其扩展 id:obciceimmggglbmelaidpjlmodcebijb 发现早有劫持请求的前科了 https://www.reddit.com/r/techsupport/comments/6237fp/windows_defender_fake_zeus_virus_hijack_in_chrome/
大家可以参考我的做法找到劫持请求的扩展,我看你们也没有装 Better History,所以很可能你们是别的扩展干的。 建议看看你们怀疑的对象在 chrome 扩展商店里面还在上架没有 |
55
rootit 2018-11-20 09:29:43 +08:00 1
按楼上的方法找到了 基本确定是 User-Agent Switcher
然后搜索了下 User-Agent Switcher 都说是木马 此扩展 id:ffhkkpnppgnfaobgihpdblnhmmbodake 注意看—= CHROME_EXTENSION_REDIRECTED_REQUEST 这里 最后:WQNMLGB t=37261 [st= 0] +REQUEST_ALIVE [dt=3841] --> priority = "HIGHEST" --> url = "https://www.jd.com/" t=37262 [st= 1] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=11] t=37262 [st= 1] DELEGATE_INFO [dt=10] --> delegate_blocked_by = "扩展程序“ User-Agent Switcher for Google Chrome ”" t=37272 [st= 11] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ IDM Integration Module ”" t=37272 [st= 11] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ IDM Integration Module ”" t=37273 [st= 12] CHROME_EXTENSION_REDIRECTED_REQUEST --> extension_id = "ffhkkpnppgnfaobgihpdblnhmmbodake" t=37273 [st= 12] -NETWORK_DELEGATE_BEFORE_URL_REQUEST t=37273 [st= 12] +URL_REQUEST_START_JOB [dt=5] --> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE) --> method = "GET" --> url = "https://www.jd.com/" t=37273 [st= 12] URL_REQUEST_REDIRECT_JOB --> reason = "Delegate" t=37273 [st= 12] URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED --> HTTP/1.1 307 Internal Redirect Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F Non-Authoritative-Reason: Delegate t=37273 [st= 12] +URL_REQUEST_DELEGATE_RECEIVED_REDIRECT [dt=5] t=37274 [st= 13] DELEGATE_INFO [dt=4] --> delegate_blocked_by = "MojoAsyncResourceHandler" t=37278 [st= 17] -URL_REQUEST_DELEGATE_RECEIVED_REDIRECT t=37278 [st= 17] URL_REQUEST_REDIRECTED --> location = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F" t=37278 [st= 17] -URL_REQUEST_START_JOB t=37278 [st= 17] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=4] t=37278 [st= 17] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ User-Agent Switcher for Google Chrome ”" t=37279 [st= 18] DELEGATE_INFO [dt=3] --> delegate_blocked_by = "扩展程序“ AdBlock ”" t=37282 [st= 21] -NETWORK_DELEGATE_BEFORE_URL_REQUEST t=37282 [st= 21] +URL_REQUEST_START_JOB [dt=3804] --> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE) --> method = "GET" --> url = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F" t=37282 [st= 21] +NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=1] t=37282 [st= 21] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ User-Agent Switcher for Google Chrome ”" t=37283 [st= 22] -NETWORK_DELEGATE_BEFORE_START_TRANSACTION t=37283 [st= 22] HTTP_CACHE_GET_BACKEND [dt=0] t=37283 [st= 22] HTTP_CACHE_OPEN_ENTRY [dt=2] t=37285 [st= 24] HTTP_CACHE_ADD_TO_ENTRY [dt=0] t=37285 [st= 24] HTTP_CACHE_READ_INFO [dt=0] t=37285 [st= 24] +HTTP_STREAM_REQUEST [dt=2644] t=37285 [st= 24] HTTP_STREAM_JOB_CONTROLLER_BOUND --> source_dependency = 30866 (HTTP_STREAM_JOB_CONTROLLER) t=39929 [st=2668] HTTP_STREAM_REQUEST_BOUND_TO_JOB --> source_dependency = 31013 (HTTP_STREAM_JOB) t=39929 [st=2668] -HTTP_STREAM_REQUEST t=39929 [st=2668] +HTTP_TRANSACTION_SEND_REQUEST [dt=0] t=39929 [st=2668] HTTP_TRANSACTION_SEND_REQUEST_HEADERS --> GET http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F HTTP/1.1 Host: rtbs24.com Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 DNT: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 |
56
beiousishen 2018-11-20 11:55:44 +08:00
@Emory 我的意思并不是 Chrome 的 API.而是有些扩展需要联网并请求第三方服务器支持服务的 API 接口.有人恶意在接口上设定或者激活了以前就埋下的跳转激活.而这些扩展的作者在知情或者不知情的情况下,调用了这些服务接口以达到扩展能达到的功能.因为这些 API 有些是现成的,某些扩展作者并不会额外花这个成本去自己搭建服务器.而这些被调用的 API,要么被入侵后修改了跳转地址,要么一开始就已经被埋藏了.就等着这种双 11 618 的时候激活后获取大量用户访问连接以获取推广费用.
但我更相信 Flash Video Downloader Video Downloader GetThemAll 这两个是前者. 在 Google 后发现这两个有前科.应该是故意就埋下去的. 或许所有扩展可能有"隐藏功能"就看有没有激活了. |
57
Emory 2018-11-20 15:54:22 +08:00
最近 chrome 插件也全部更新了权限要求,都要求文件读写什么的,感觉要尽量少装插件了
|
58
lspnicol 2018-11-21 10:24:03 +08:00 4
@Totato5749 非常感谢这位同学的办法,我照着你的办法也试了一下,乍一看以为是 tampermonkey,但是仔细看看,
t=5572 [st= 11] CHROME_EXTENSION_REDIRECTED_REQUEST --> extension_id = "abidndjnodakeaicodfpgcnlkpppapah" 按这个 id 去自己扩展里面找了一下,结果是 Allow Copy,然后去 chrome 扩展商店看了一下,同样也是早就下架了的,符合你说的下架了的比较可疑的猜测 下面是完整日志 75104: URL_REQUEST https://www.jd.com/ Start Time: 2018-11-22 10:05:45.623 t=5561 [st= 0] +REQUEST_ALIVE [dt=989] --> priority = "HIGHEST" --> url = "https://www.jd.com/" t=5562 [st= 1] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=10] t=5562 [st= 1] DELEGATE_INFO [dt=3] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=5565 [st= 4] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=5566 [st= 5] DELEGATE_INFO [dt=6] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=5572 [st= 11] CHROME_EXTENSION_REDIRECTED_REQUEST --> extension_id = "abidndjnodakeaicodfpgcnlkpppapah" t=5572 [st= 11] -NETWORK_DELEGATE_BEFORE_URL_REQUEST t=5572 [st= 11] +URL_REQUEST_START_JOB [dt=2] --> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE) --> method = "GET" --> url = "https://www.jd.com/" t=5572 [st= 11] URL_REQUEST_REDIRECT_JOB --> reason = "Delegate" t=5572 [st= 11] URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED --> HTTP/1.1 307 Internal Redirect Location: http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F Non-Authoritative-Reason: Delegate t=5572 [st= 11] +URL_REQUEST_DELEGATE_RECEIVED_REDIRECT [dt=1] t=5573 [st= 12] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "MojoAsyncResourceHandler" t=5573 [st= 12] -URL_REQUEST_DELEGATE_RECEIVED_REDIRECT t=5574 [st= 13] URL_REQUEST_REDIRECTED --> location = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F" t=5574 [st= 13] -URL_REQUEST_START_JOB t=5574 [st= 13] +NETWORK_DELEGATE_BEFORE_URL_REQUEST [dt=3] t=5574 [st= 13] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=5575 [st= 14] DELEGATE_INFO [dt=0] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=5575 [st= 14] DELEGATE_INFO [dt=2] --> delegate_blocked_by = "扩展程序“ Allow Copy ”" t=5577 [st= 16] -NETWORK_DELEGATE_BEFORE_URL_REQUEST t=5577 [st= 16] +URL_REQUEST_START_JOB [dt=960] --> load_flags = 18432 (MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE) --> method = "GET" --> url = "http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F" t=5577 [st= 16] NETWORK_DELEGATE_BEFORE_START_TRANSACTION [dt=0] t=5577 [st= 16] HTTP_CACHE_GET_BACKEND [dt=0] t=5577 [st= 16] HTTP_CACHE_OPEN_ENTRY [dt=0] --> net_error = -2 (ERR_FAILED) t=5577 [st= 16] HTTP_CACHE_CREATE_ENTRY [dt=0] t=5577 [st= 16] HTTP_CACHE_ADD_TO_ENTRY [dt=0] t=5577 [st= 16] +HTTP_STREAM_REQUEST [dt=2] t=5577 [st= 16] HTTP_STREAM_JOB_CONTROLLER_BOUND --> source_dependency = 75107 (HTTP_STREAM_JOB_CONTROLLER) t=5579 [st= 18] HTTP_STREAM_REQUEST_BOUND_TO_JOB --> source_dependency = 75108 (HTTP_STREAM_JOB) t=5579 [st= 18] -HTTP_STREAM_REQUEST t=5580 [st= 19] +HTTP_TRANSACTION_SEND_REQUEST [dt=0] t=5580 [st= 19] HTTP_TRANSACTION_SEND_REQUEST_HEADERS --> GET http://rtbs24.com/?target=https%3A%2F%2Fytthn.com%2Fclick-IQL4686A-HFDQCIIE%3Fbt%3D25%26tl%3D1__%26url%3Dhttps%3A%2F%2Fwww.jd.com%2F HTTP/1.1 Host: rtbs24.com Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7 t=5580 [st= 19] -HTTP_TRANSACTION_SEND_REQUEST t=5580 [st= 19] +HTTP_TRANSACTION_READ_HEADERS [dt=954] t=5580 [st= 19] HTTP_STREAM_PARSER_READ_HEADERS [dt=953] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6533 [st=972] HTTP_STREAM_PARSER_READ_HEADERS [dt=1] t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6534 [st=973] HTTP_STREAM_PARSER_READ_HEADERS [dt=0] t=6534 [st=973] HTTP_TRANSACTION_READ_RESPONSE_HEADERS --> HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Encoding: gzip Content-Type: text/html Date: Wed, 21 Nov 2018 02:05:53 GMT Keep-Alive: timeout=38 Server: nginx Vary: Accept-Encoding X-Powered-By: PHP/5.6.37 t=6534 [st=973] -HTTP_TRANSACTION_READ_HEADERS t=6534 [st=973] HTTP_CACHE_WRITE_INFO [dt=0] t=6534 [st=973] HTTP_CACHE_WRITE_DATA [dt=0] t=6534 [st=973] HTTP_CACHE_WRITE_INFO [dt=0] t=6534 [st=973] +NETWORK_DELEGATE_HEADERS_RECEIVED [dt=3] t=6534 [st=973] DELEGATE_INFO [dt=2] --> delegate_blocked_by = "扩展程序“ Tampermonkey ”" t=6536 [st=975] DELEGATE_INFO [dt=1] --> delegate_blocked_by = "扩展程序“ AdBlock ”" t=6537 [st=976] -NETWORK_DELEGATE_HEADERS_RECEIVED t=6537 [st=976] URL_REQUEST_FILTERS_SET --> filters = "GZIP" t=6537 [st=976] -URL_REQUEST_START_JOB t=6537 [st=976] +URL_REQUEST_DELEGATE_RESPONSE_STARTED [dt=11] t=6537 [st=976] DELEGATE_INFO [dt=11] --> delegate_blocked_by = "MojoAsyncResourceHandler" t=6548 [st=987] -URL_REQUEST_DELEGATE_RESPONSE_STARTED t=6548 [st=987] HTTP_TRANSACTION_READ_BODY [dt=0] t=6549 [st=988] URL_REQUEST_JOB_BYTES_READ --> byte_count = 216 t=6549 [st=988] URL_REQUEST_JOB_FILTERED_BYTES_READ --> byte_count = 509 t=6549 [st=988] HTTP_TRANSACTION_READ_BODY [dt=0] t=6550 [st=989] -REQUEST_ALIVE |
59
xenocide 2018-11-21 15:13:36 +08:00
我也遇到了,应该不是运营商的问题,两个地方一个电信,一个移动,都有这个问题
|
60
lmusicwq 2018-11-21 15:25:16 +08:00
@Totato5749 我和 10 楼有装这个,虽然禁用 ublock 一天没事,不过看来这个嫌疑更大
|
61
lspnicol 2018-11-21 17:27:48 +08:00
@lmusicwq 不用靠猜测怀疑的,用 @Totato5749 同学的办法可以准确锁定目标。我已经禁用了我这里的 allow copy,找一个别的替代品了,一天都没事,终于不用打开京东都要被跳来跳去了。
|
62
lmusicwq 2018-11-21 17:48:22 +08:00
@lspnicol #61 恩,我也刚验证过是 better history,CHROME_EXTENSION_REDIRECTED_REQUEST 看 id 是它。
|
63
lyb61 2018-11-21 18:13:40 +08:00
我这边是 better history,已卸载
|
65
fcymk2 2018-11-23 10:25:43 +08:00
|
66
l0ng 2018-11-24 17:29:01 +08:00
@Totato5749 #49
感谢,锅是 User-Agent Switcher for Google Chrome,火大 |
68
tai7sy 2018-11-25 23:52:15 +08:00 4
User-Agent Switcher for Google Chrome (ffhkkpnppgnfaobgihpdblnhmmbodake)
实锤: |
69
lspnicol 2018-11-26 11:39:56 +08:00
我原来怀疑是不是这些插件作者被广告联盟收买了,插入恶意代码……
但是楼上有几个出问题的是 User-Agent Switcher for Google Chrome,我虽然没装,但是查了一下这货是 google 自家的插件啊,不是个人作者啊,为什么会搞鬼…… |
70
nichijou 2018-11-26 19:26:23 +08:00
我也这样,不过这两天没出现
|
71
mojoo 2018-12-07 14:32:19 +08:00
|
72
gayapple 2018-12-19 11:23:46 +08:00
已卸, 终于正常了, 谢谢
|
73
toma 2018-12-20 03:43:06 +08:00
居然是 UA Switcher 的问题嘛……那有能用的同类扩展吗……
|
74
luufox 2019-01-06 23:28:12 +08:00
@Totato5749 十分感谢.删除 UAS 了.
|
75
Anxon 2019-01-07 14:27:01 +08:00
我刚测试,实锤是 Better History。打开它的商店地址,发现已经是 404 了,我奇怪为什么 chrome 方面没有进行提醒或者自动禁用这个扩展。
|
76
CenJing 2019-01-09 17:39:17 +08:00
已卸载 User-Agent Switcher for Google Chrome
|
78
nichijou 2019-02-01 18:51:35 +08:00
|
80
upwell 2019-03-04 13:12:17 +08:00
已卸载 User-Agent Switcher for Google Chrome
|
81
ykrank 2019-04-11 14:01:45 +08:00
我今天也遇到这个问题了,原因是安装了个李鬼的 User-Agent Switcher for Google Chrome,官方有一个名字很相同的,那个提供者是 google,才是对的,这个是修改了一个字符的。
|
82
yylzcom 2019-09-24 17:40:39 +08:00
我先回复标记一下, 我同时用几个 Chrome 用户, 唯一发生问题的就是装了
User-Agent Switcher for Google Chrome 这个的浏览器, 其它 ublock, switchyomega 等几个浏览器都装了的没问题. 禁用了测试一下再回来报告. |