谁动了我们的DNS，是你吗，电信？

最新推荐文章于 2024-10-15 16:22:35 发布

hejishan

最新推荐文章于 2024-10-15 16:22:35 发布

阅读量2.1k

点赞数

文章标签：电信 dns服务器 statistics internet domain firefox

本文链接：https://blog.csdn.net/hejishan/article/details/2285315

版权

朋友说 (15:08):
方便的话，你访问当年明月的 blog http://blog.sina.com.cn/m/dangnianmingyue
用sniffer看看是不是会去下载一个www.jcdh.cn/1.exe的文件。我这只要一访问这个页面就下载这个病毒。其他页面没事。
我不能确定是我的机器中毒了还是这个页面有问题。

精于心，简于形[郑昀] 说 (15:15):
http://www.xfocus.net/articles/200610/888.html，这里面谈到了。
“两年前,访问网站的时候经常被重定位到北京宽带智能纠错网站去，比较烦人。
后来一段时间好象也没有了，也就没有注意了。这几天，访问网站的时候又经常出现
一些奇怪的现象。初步判断网络有点问题，当然我能确保我的系统是干净的。
”

jcdh.cn whois 信息
Domain Name     jcdh.cn
Domain Status    ok
Registrant Name    吕先生
Administrative Email    dayu2008@163.com
Sponsoring Registrar    北京万网志成科技有限公司
Name Server    dns11.hichina.com
Name Server    dns12.hichina.com
Registration Date    2006-09-15 14:11
Expiration Date    2007-09-15 14:11

朋友说:
是。我正在看xfocus那个文章，几天前看到过。
精于心，简于形[郑昀] 说:
我前几个月原来说过这个问题，典型的流氓手段。
朋友说:
是，我看过你那个文章。就是互联星空捆绑最热的时候。
精于心，简于形[郑昀] 说:
这回可能还是他们。和你的系统无关。

技术人员请看下面的xfocus讨论：

谁动了我们的DNS

创建时间：2006-10-15 更新时间：2006-10-15
文章属性：转载
文章来源：internet
文章提交：root (webmaster_at_xfocus.org)

谁动了我们的DNS

2006-10-16
by 81d83889fb4a54b0d5d7e07d42c51422

本文遵从GPL协议，欢迎转载

|=------------------------------------------------------------------------=|

---------[ Table of Contents ]

  0x1   - 前言
  0x2   - 一些怪现象
    0x2.1   --    ping一些不存在的域名
    0x2.2   --    抓包分析
  0x3    - 浏览器浏览不存在域名被重定位
    0x3.1   --    现象
    0x3.2   --    抓包分析
  0x4    - xxxxxx.bobodogs.com的统计数据
  0x5    - www.bobodogs.com的统计数据
  0x6    - 一次被引导到3721网站的过程
  0x7    - 有必要看下www.jcdh.cn这个网站
  0x8    - 小结
    0x8.1   --    影响用户范围
    0x8.2   --    解决办法

|=------------------------------------------------------------------------=|

---------[ 0x1 - 前言 ]

一两年前,访问网站的时候经常被重定位到北京宽带智能纠错网站去，比较烦人。
后来一段时间好象也没有了，也就没有注意了。这几天，访问网站的时候又经常出现
一些奇怪的现象。初步判断网络有点问题，当然我能确保我的系统是干净的。

使用环境 winxp sp2 firefox，北京网通ADSL拨号上网，使用DHCP自动分配IP和获得DNS，
不使用IE是因为IE自身也内嵌了3721查询，正确的说是内嵌了auto.search.msn.com.

关键字：DNS查询，HTTP协议，WHOIS 查询，DNS轮循

---------[ 0x2 - 一些怪现象 ]

这里就不重述DNS是如何工作的，以及DNS在整个互联网中的重要性。

---------[ 0x2.1 - ping一些不存在的域名 ]

先来看看一些现象：
======================================================================
ping fuck12334566.com

Pinging fuck12334566.com [202.108.251.209] with 32 bytes of data:

Reply from 202.108.251.209: bytes=32 time=17ms TTL=247
Reply from 202.108.251.209: bytes=32 time=16ms TTL=247

Ping statistics for 202.108.251.209:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 17ms, Average = 16ms
Control-C
^C
ping fuck12334566.com

Pinging fuck12334566.com [202.108.251.209] with 32 bytes of data:

Reply from 202.108.251.209: bytes=32 time=15ms TTL=247

Ping statistics for 202.108.251.209:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 15ms, Average = 15ms
Control-C
^C
ping fuck12334567.com

Pinging fuck12334567.com [202.108.251.209] with 32 bytes of data:

Reply from 202.108.251.209: bytes=32 time=17ms TTL=247

Ping statistics for 202.108.251.209:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 17ms, Average = 17ms
Control-C
^C
ping fuck12334568.com

Pinging fuck12334568.com [202.108.251.207] with 32 bytes of data:

Reply from 202.108.251.207: bytes=32 time=18ms TTL=247
Reply from 202.108.251.207: bytes=32 time=17ms TTL=247

Ping statistics for 202.108.251.207:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 18ms, Average = 17ms
Control-C
^C
ping fuck12334569.com

Pinging fuck12334569.com [202.108.251.209] with 32 bytes of data:

Reply from 202.108.251.209: bytes=32 time=16ms TTL=247

Ping statistics for 202.108.251.209:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 16ms, Average = 16ms
Control-C
^C
ping fuck12334570.com

Pinging fuck12334570.com [202.108.251.206] with 32 bytes of data:

Reply from 202.108.251.206: bytes=32 time=16ms TTL=247

Ping statistics for 202.108.251.206:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 16ms, Average = 16ms
Control-C
^C
ping fuck12334571.com

Pinging fuck12334571.com [202.108.251.209] with 32 bytes of data:

Reply from 202.108.251.209: bytes=32 time=17ms TTL=247

Ping statistics for 202.108.251.209:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 17ms, Average = 17ms
Control-C
======================================================================

为什么会这样，明名胡乱打的一个域名为什么会返回一系列IP地址呢，是偶然
还是巧合?

dns服务器返回的一些ip地址
202.108.251.209
202.108.251.206
202.108.251.207
202.108.251.213

===============================================================
inetnum:      202.108.0.0 - 202.108.255.255
netname:      CNCGROUP-BJ
descr:        CNCGROUP Beijing province network
descr:        China Network Communications Group Corporation
descr:        No.156,Fu-Xing-Men-Nei Street,
descr:        Beijing 100031
country:      CN
admin-c:      CH455-AP
tech-c:       SY21-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CNCGROUP-BJ
mnt-routes:   MAINT-CNCGROUP-RR
changed:      hm-changed@apnic.net 20031017
status:       ALLOCATED PORTABLE
changed:      hm-changed@apnic.net 20060124
source:       APNIC

role:         CNCGroup Hostmaster
e-mail:       abuse@cnc-noc.net
address:      No.156,Fu-Xing-Men-Nei Street,
address:      Beijing,100031,P.R.China
nic-hdl:      CH455-AP
phone:        +86-10-82993155
fax-no:       +86-10-82993102
country:      CN
admin-c:      CH444-AP
tech-c:       CH444-AP
changed:      abuse@cnc-noc.net 20041119
mnt-by:       MAINT-CNCGROUP
source:       APNIC

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:       suny@publicf.bta.net.cn
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:      suny@publicf.bta.net.cn 19980824
changed:      hm-changed@apnic.net 20060717
source:       APNIC

===============================================================

---------[ 0x2.2 - 抓包分析 ]

抓包分析下

===============================================================
Frame 3 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Vmware_fc:4e:c4 (00:50:56:fc:4e:c4), Dst: Vmware_2b:e7:dd (00:0c:29:2b:e7:dd)
Internet Protocol, Src: 192.168.174.2 (192.168.174.2), Dst: 192.168.174.132 (192.168.174.132)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1326 (1326)
Domain Name System (response)
    Transaction ID: 0xc627
    Flags: 0x8180 (Standard query response, No error)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Queries
        fuck123445452.com: type A, class IN
            Name: fuck123445452.com
            Type: A (Host address)
            Class: IN (0x0001)
    Answers
        fuck123445452.com: type A, class IN, addr 202.108.251.213
            Name: fuck123445452.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute
            Data length: 4
            Addr: 202.108.251.213

===============================================================
很显然dns服务器告诉我们的就是：fuck123445452.com的ip地址为202.108.251.213

---------[ 0x3 - 浏览器浏览不存在域名被重定位 ]

---------[ 0x3.1 - 现象 ]

  再来看看http协议上的问题，我们用firefox敲了一个网址进去
www.chinatesttesttest.com (特意查了下，这个域名是还没有被人注册的) ,
结果返回回来的是
===============================================================
无法显示网页
您正在查找的页当前不可用。网站可能遇到支持问题，或者您需要调整您的浏览器
设置。

请尝试以下操作:

    * ·单击 refresh.gif (82 字节) 刷新按钮，或稍后重试。
    * ·如果您已经在地址栏中输入该网页的地址，请确认其拼

==============================================================
是不是觉得奇怪呢，是的，不奇怪才怪了呢

---------[ 0x3.2 - 抓包分析 ]

抓包分析吧

firefox的动作

★ 第一步
  查询www.chinatesttesttest.com的ip地址，如上一样dns服务器返回
  202.108.251.215

★ 第二步
  2.1 向202.108.251.215发送GET / HTTP/1.1/r/n请求。
  2.2 202.108.251.215返回数据

===============================================================
Hypertext Transfer Protocol
Line-based text data: text/html






             name="iframe0" src=" WIDTH="100%" HEIGHT="100%" FRAMEBORDER="0" />





===============================================================

ok这里出现了bobodogs.com和jcdh.cn这两个网站。
看看这两个网站分别是什么
jcdh.cn是北京宽带网网站。(后补：是乍看是)
bobodogs.com是博博狗。
他们俩什么关系？？

===============================================================
jcdh.cn whois 信息

Domain Name     jcdh.cn
Domain Status    ok
Registrant Name    吕先生
Administrative Email    dayu2008@163.com
Sponsoring Registrar    北京万网志成科技有限公司
Name Server    dns11.hichina.com
Name Server    dns12.hichina.com
Registration Date    2006-09-15 14:11
Expiration Date    2007-09-15 14:11

===============================================================
bobodogs whois 信息

   Domain Name: BOBODOGS.COM
   Registrar: HICHINA WEB SOLUTIONS (HONG KONG) LIMITED
   Whois Server: grs.hichina.com
   Referral URL: http://whois.hichina.com
   Name Server: DNS12.HICHINA.COM
   Name Server: DNS11.HICHINA.COM
   Status: ACTIVE
   EPP Status: ok
   Updated Date: 18-Jul-2006
   Creation Date: 18-Jul-2006
   Expiration Date: 18-Jul-2008

[grs.hichina.com]
Domain Name ..................... bobodogs.com
Name Server ..................... dns11.hichina.com
                                  dns12.hichina.com
Registrant ID ................... hc468722731-cn
Registrant Name ................. HAICHUAN LI
Registrant Organization ......... LI HAICHUAN
Registrant Address .............. BEIJING
Registrant City ................. BEIJING
Registrant Province/State ....... BEIJING
Registrant Postal Code .......... 100029
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.01058208009 -
Registrant Fax .................. +86.01058208005 -
Registrant Email ................ ponyring@gmail.com
Administrative ID ............... hc468722731-cn
Administrative Name ............. HAICHUAN LI
Administrative Organization ..... LI HAICHUAN
Administrative Address .......... BEIJING
Administrative City ............. BEIJING
Administrative Province/State ... BEIJING
Administrative Postal Code ...... 100029
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.01058208009 -
Administrative Fax .............. +86.01058208005 -
Administrative Email ............ ponyring@gmail.com
Billing ID ...................... hichina001-cn
Billing Name .................... hichina
Billing Organization ............ HiChina Web Solutions Limited
Billing Address ................. 3/F., HiChina Mansion
                                  No.27 Gulouwai Avenue
                                  Dongcheng District
Billing City .................... Beijing
Billing Province/State .......... Beijing
Billing Postal Code ............. 100011
Billing Country Code ............ CN
Billing Phone Number ............ +86.01064242299 -
Billing Fax ..................... +86.01064258796 -
Billing Email ................... domainadm@hichina.com
Technical ID .................... hichina001-cn
Technical Name .................. hichina
Technical Organization .......... HiChina Web Solutions Limited
Technical Address ............... 3/F., HiChina Mansion
                                  No.27 Gulouwai Avenue
                                  Dongcheng District
Technical City .................. Beijing
Technical Province/State ........ Beijing
Technical Postal Code ........... 100011
Technical Country Code .......... CN
Technical Phone Number .......... +86.01064242299 -
Technical Fax ................... +86.01064258796 -
Technical Email ................. domainadm@hichina.com
Expiration Date ................. 2008-07-18 06:21:34
===============================================================

  ★ 第三步：
  根据返回回来的数据，firefox继续访问www.jcdh.cn ,GET 1.html?url=www.chinatesttestest.com
这次返回的数据如下：

===============================================================
Hypertext Transfer Protocol
Line-based text data: text/html





    <script language="javascript" type="text/javascript">window.status="/315/352/261/317";</script>
    <script language="javascript" type="text/javascript" src="</script>

    bobodogs.com /325/322/262/273/265/275/267/376/316/361/306/367

width="25" height="33">

style="COLOR: black; FONT: 13pt/14pt /313/316/314/345">/316/336/267/250/317/324/312/276/315/370/322/263

        style="COLOR: black; FONT: 8pt/11pt verdana">/304/372/325/375/324/332/262/351/325/322/265/304/322/263/265/261/307/260/262/273/277/311/323/303/241/243
        /315/370/325/276/277/311/304/334/323/366/265/275/326/247/263/326/316/312/314/342/243/254/273/362/325/337/304/372/320/350/322/252
        /265/367/325/373/304/372/265/304/344/257/300/300/306/367/311/350/326/303/241/243

style="COLOR: black; FONT: 9pt/12pt /313/316/314/345">

/307/353/263/242/312/324/322/324/317/302/262/331/327/367:

/265/245/273/367

    /t     /313/242/320/302/260/264/305
/310/347/271/373/304/372/322/321/276/255/324/332/265/330/326/267/300/270/326/320/312/344/310/353/270/303/315/370/322/263/265/304/265/330/326/267/243/254
/307/353/310/267/310/317/306/344/306/264/320/264/325/375/310/267/241/243
/322/252/274/354/262/351/304/372/265/304/315/370/302/347/301/254/275/323/243/254/307/353/265/245/273/367/271/244/276/337/262/313/265/245/243/254/310/273/272/363/265/245/273/367
Internet /321/241/317/356/241/243/324/332/301/254/275/323/321/241/317/356/277/250/311/317/243/254/265/245/273/367/311/350/326/303/241/243
/311/350/326/303/261/330/320/353/323/353/304/372/265/304/276/326/323/362/315/370 (LAN) /271/334/300/355/324/261/273/362 Internet /267/376/316/361/271/251/323/246/311/314 (ISP) /314/341/271/251/265/304/322/273/326/302/241/243
/262/351/277/264/304/372/265/304 Internet /301/254/275/323/311/350/326/303/312/307/267/361/325/375/310/267/261/273/274/354/262/342/241/243/304/372/277/311/304/334/311/350/326/303/310/303 Microsoft Windows /274/354/262/3
2. /265/245/273/367/271/244/276/337/262/313/265/245/243/254/310/273/272/363/265/245/273/367Internet /321/241/317/356/241/243
4. /324/332/301/254/275/323/321/241/317/356/277/250/311/317/243/254/265/245/273/367LAN /311/350/326/303/241/243
6. /321/241/324/361/327/324/266/257/274/354/262/342/311/350/326/303/243/254/310/273/272/363/265/245/273/367/310/267/266/250/241/243
/304/263/320/251/325/276/265/343/322/252/307/363 128-/316/273/265/304/301/254/275/323/260/262/310/253/320/324/241/243/265/245/273/367/260/357/326/372/262/313/265/245/243/254/310/273/272/363/265/245/273/367/271/330/323/332
           /310/347/271/373/304/372/322/252/267/303/316/312/304/263/260/262/310/253/325/276/265/343/243/254/307/353/310/267/261/243/304/372/265/304/260/262/310/253/311/350/326/303/304/334/271/273/326/247/263/326/241/243/307/353/265/245/273/367



/265/245/273/367/311/317/322/273/262/275/260/264/305/245/243/254/263/242/312/324/306/344/313/373/301/264/

/325/322/262/273/265/275/267/376/316/361/306/367/273/362 DNS /264/355/316/363
Internet Explorer

http://www.51.la/?549643"

===============================================================

这个页面就是上面我们看到了

===============================================================
无法显示网页
您正在查找的页当前不可用。网站可能遇到支持问题，或者您需要调整您的浏览器
设置。

请尝试以下操作:

    * ·单击 refresh.gif (82 字节) 刷新按钮，或稍后重试。
    * ·如果您已经在地址栏中输入该网页的地址，请确认其拼
==============================================================

后面我们还看到有一个js脚本。
51.1a是免费统计流量的一个网站。
http://js.users.51.la/549643.js
里的内容如下
===============================================================
document.write (' http://www.51.la/?549643" target="_blank"> 我要啦免费统计 VIP 用户

http://icon.ajiang.net/icon_0.gif" style="border:none" />/n');
document.write ('<script>var a549643tf="51la";var a549643pu="";var a549643pf="51la";var a549643su=window.location;var a549643sf=document.referrer;var a549643of="";var a549643op="";var a549643ops=1;var a549643ot=1;var a549643d=new Date();var a549643color="";if (navigator.appName=="Netscape"){a549643color=screen.pixelDepth;} else {a549643color=screen.colorDepth;}