“iOS 7 越狱来了!咦?里面怎么还有一个太极助手?”
昨晚到今天,“太极”成为了国外越狱社区,以及国内社交网络上的热门话题。evasi0n 还特意针对这一情况发布了声明。正如王崇旭所说,“这一天,对以‘追求自由’‘打破桎梏’为核心价值观的越狱黑客们来说,注定是不光彩的。”
本文一步一步还原“太极”背后的支持者。由于是在 Linux 环境下用终端命令查询,因此如果打算亲自尝试,请先检查一下自己的操作系统是否 Linux。
第一步,用 Whois 命令查询域名信息。
$ whois taig.comDomain Name: TAIG.COMRegistry Domain ID: 5070333_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdate Date: 2013-11-05 18:27:16Creation Date: 1999-04-06 23:00:00Registrar Registration Expiration Date: 2015-04-06 23:00:00Registrar: GoDaddy.com, LLCRegistrar IANA ID: 146Registrar Abuse Contact Email: abuse@godaddy.comRegistrar Abuse Contact Phone: +1.480-624-2505Domain Status: clientTransferProhibitedDomain Status: clientUpdateProhibitedDomain Status: clientRenewProhibitedDomain Status: clientDeleteProhibitedRegistry Registrant ID:Registrant Name: zhou shengjinRegistrant Organization:Registrant Street: Beijing changping district changping roadRegistrant City: BeijingRegistrant State/Province: beijingRegistrant Postal Code: 100096Registrant Country: ChinaRegistrant Phone: +1.8811225068Registrant Phone Ext:Registrant Fax:Registrant Fax Ext:Registrant Email: nomas.chow@gmail.comRegistry Admin ID:Admin Name: zhou shengjinAdmin Organization:Admin Street: Beijing changping district changping roadAdmin City: BeijingAdmin State/Province: beijingAdmin Postal Code: 100096Admin Country: ChinaAdmin Phone: +1.8811225068Admin Phone Ext:Admin Fax:Admin Fax Ext:Admin Email: nomas.chow@gmail.comRegistry Tech ID:Tech Name: zhou shengjinTech Organization:Tech Street: Beijing changping district changping roadTech City: BeijingTech State/Province: beijingTech Postal Code: 100096Tech Country: ChinaTech Phone: +1.8811225068Tech Phone Ext:Tech Fax:Tech Fax Ext:Tech Email: nomas.chow@gmail.comName Server: NS3.DNSV4.COMName Server: NS4.DNSV4.COM
从以上信息可看出, taig.com 是一个 1999 年就注册的域名。这个域名里的联系电话, +1.8811225068 应为 +86-18811225068。这是我们的线索之一。地址“北京市昌平区昌平路”与手机号码归属地北京相匹配。 Email 地址则是另一个有效的线索。
第二步,用 host 命令解析 www.taig.com,得到与该命令相关联的 IP 地址和 DNS 地址。
$ host www.taig.comwww.taig.com has address 211.155.82.248www.taig.com has address 203.191.148.133www.taig.com has address 42.62.21.140www.taig.com has address 42.62.21.141www.taig.com has address 42.62.21.142www.taig.com has address 42.62.21.143www.taig.com has address 42.62.21.144www.taig.com has address 211.155.82.233
这些 IP 地址告诉我们什么呢?www.taig.com 这家网站拥有好几个机房,启用了 CDN 加速,不像是小公司的基础设施。通过 whois 命令查询这些 IP 地址,得到的结果令人失望,因为结果均指向各个数据中心。然后再用查询 IP 以及域名信息的工具 bgp.he.net 查询,也同样没有给出更多的信息。
不过,也不必气馁,以上所找到的信息已经布满疑点。现在,再尝试用 curl -s 将 www.taig.com 的页面源代码下载到本地,然后通过 grep -Eo “http://[^\"']+” 从源代码里找到特定的网址,结果很有意思:
$ curl -s www.taig.comgrep -Eo "http://[^\"']+"http://bbdown.iphonespirit.com/site/image/logo.icohttp://js.pingguoyingyong.com/taiji-home/css/style.csshttp://bbs.taig.comhttp://www.taig.com/archives/category/newshttp://static.youku.com/v1.0.0334/v/swf/player_yk.swfhttp://static.youku.com/v1.0.0334/v/swf/player_yk.swfhttp://www.adobe.com/go/getflashhttp://bbdown.iphonespirit.com/ios/7/TaiG_JailBreak_iOS7_ForWin_v1.0.ziphttp://bbdown.iphonespirit.com/ios/7/TaiG_JailBreak_iOS7_ForMac_v1.0.dmghttp://www.taig.com/archives/category/newshttp://www.taig.com/archives/548http://bbdown.iphonespirit.com/site/docpic/2348.jpghttp://www.taig.com/archives/548http://www.taig.com/archives/548http://www.taig.com/archives/253http://www.taig.com/archives/251http://www.taig.com/archives/249http://www.taig.com/archives/247http://www.taig.com/archives/241http://www.taig.com/archives/239http://www.taig.com/archives/237http://www.taig.com/archives/233http://js.pingguoyingyong.com/taiji-home/js/build.js
以上结果说明,我们在 www.taig.com 的网页上,还找到了其它网站的域名。这些网站的域名必定不是无缘无故出现在这里的。我们再次使用 whois 命令,查询这些看上去可疑的域名,首先是 pingguoyingyong.com 这个域名:
$ whois pingguoyingyong.comDomain Name: PINGGUOYINGYONG.COMRegistry Domain ID: 1701302087_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdate Date: 2013-02-04 05:56:33Creation Date: 2012-02-09 09:52:46Registrar Registration Expiration Date: 2015-02-09 09:52:46Registrar: GoDaddy.com, LLCRegistrar IANA ID: 146Registrar Abuse Contact Email: abuse@godaddy.comRegistrar Abuse Contact Phone: +1.480-624-2505Domain Status: clientTransferProhibitedDomain Status: clientUpdateProhibitedDomain Status: clientRenewProhibitedDomain Status: clientDeleteProhibitedRegistry Registrant ID:Registrant Name: John LennonRegistrant Organization: Apple Application INC.Registrant Street: ChinaRegistrant City: guangdongRegistrant State/Province: baiyunRegistrant Postal Code: 000000Registrant Country: ChinaRegistrant Phone: +86.138000138000Registrant Phone Ext:Registrant Fax:Registrant Fax Ext:Registrant Email: fidate@gmail.comRegistry Admin ID:Admin Name: John LennonAdmin Organization: Apple Application INC.Admin Street: ChinaAdmin City: guangdongAdmin State/Province: baiyunAdmin Postal Code: 000000Admin Country: ChinaAdmin Phone: +86.138000138000Admin Phone Ext:Admin Fax:Admin Fax Ext:Admin Email: fidate@gmail.comRegistry Tech ID:Tech Name: John LennonTech Organization: Apple Application INC.Tech Street: ChinaTech City: guangdongTech State/Province: baiyunTech Postal Code: 000000Tech Country: ChinaTech Phone: +86.138000138000Tech Phone Ext:Tech Fax:Tech Fax Ext:Tech Email: fidate@gmail.comName Server: F1G1NS1.DNSPOD.NETName Server: F1G1NS2.DNSPOD.NET
如果想知道一个域名的持有者,还持有什么其它的域名,那么持有此域名的邮箱是首要的调查对象。经过查询,此域名的邮箱 fidate@gmail.com 还拥有另一个域名,idestop.com。
再用 whois 命令查询 iphonespirit.com 这个域名,发现它采用了保护手段,防止别人查询 whois 域名信息。
$ whois iphonespirit.comDomain Name ..................... iphonespirit.comSponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.Name Server ..................... ns3.dnsv4.comns4.dnsv4.comRegistrant ID ................... whois-protectRegistrant Name ................. WHOIS AGENTRegistrant Organization ......... DOMAIN WHOIS PROTECTION SERVICERegistrant Address .............. 3/F.,HiChina Mansion,No.27 Gulouwai AvenueDongcheng District,Beijing 100120,ChinaRegistrant City ................. BeijingRegistrant Province/State ....... BeijingRegistrant Postal Code .......... 100120Registrant Country Code ......... CNRegistrant Phone Number ......... +8610.64242266Registrant Fax .................. +8610.84138796Registrant Email ................ domainadm@hichina.comAdministrative ID ............... whois-protectAdministrative Name ............. WHOIS AGENTAdministrative Organization ..... DOMAIN WHOIS PROTECTION SERVICEAdministrative Address .......... 3/F.,HiChina Mansion,No.27 Gulouwai AvenueDongcheng District,Beijing 100120,ChinaAdministrative City ............. BeijingAdministrative Province/State ... BeijingAdministrative Postal Code ...... 100120Administrative Country Code ..... CNAdministrative Phone Number ..... +8610.64242266Administrative Fax .............. +8610.84138796Administrative Email ............ domainadm@hichina.comBilling ID ...................... whois-protectBilling Name .................... WHOIS AGENTBilling Organization ............ DOMAIN WHOIS PROTECTION SERVICEBilling Address ................. 3/F.,HiChina Mansion,No.27 Gulouwai AvenueDongcheng District,Beijing 100120,ChinaBilling City .................... BeijingBilling Province/State .......... BeijingBilling Postal Code ............. 100120Billing Country Code ............ CNBilling Phone Number ............ +8610.64242266Billing Fax ..................... +8610.84138796Billing Email ................... domainadm@hichina.comTechnical ID .................... whois-protectTechnical Name .................. WHOIS AGENTTechnical Organization .......... DOMAIN WHOIS PROTECTION SERVICETechnical Address ............... 3/F.,HiChina Mansion,No.27 Gulouwai AvenueDongcheng District,Beijing 100120,ChinaTechnical City .................. BeijingTechnical Province/State ........ BeijingTechnical Postal Code ........... 100120Technical Country Code .......... CNTechnical Phone Number .......... +8610.64242266Technical Fax ................... +8610.84138796Technical Email ................. domainadm@hichina.comDomain Create Date .............. 2013-03-29 19:54:24Expiration Date ................. 2014-03-29 19:54:24
不过,我们依然可以进一步的进行 DNS 分析。
$ host bbdown.iphonespirit.combbdown.iphonespirit.com is an alias for bbdown.iphonespirit.com.51ccdn.com.bbdown.iphonespirit.com.51ccdn.com is an alias for c01.i08.sisyun.com.c01.i08.sisyun.com is an alias for c01.i08.cncsd.hadns.net.c01.i08.cncsd.hadns.net has address 61.156.242.76c01.i08.cncsd.hadns.net has address 60.210.10.77c01.i08.cncsd.hadns.net has address 61.156.157.183
随手一搜索,我们可以发现“苹果核”使用的分发域名便是 iphonespirit.com。而苹果核使用了国内某公司的核心,不得不让人有某些联想。
$ host js.pingguoyingyong.comjs.pingguoyingyong.com has address 117.121.11.32
接下来,我们用 host 命令查询这个 IP 地址,得到了一个惊奇的发现。
$ host www.kuaiyong.comwww.kuaiyong.com has address 117.121.11.16
经查,海外解析地址为 .16,国内解析地址为 .32。
$ curl -s --head -H"Host: www.kuaiyong.com" 117.121.11.32HTTP/1.1 200 OKServer: nginx/1.0.15Date: Sun, 22 Dec 2013 22:40:11 GMTContent-Type: text/htmlContent-Length: 9268Last-Modified: Thu, 19 Dec 2013 05:47:21 GMTConnection: keep-aliveAccept-Ranges: bytes$ curl -s -H"Host: nosuchhost.com" 117.121.11.32 grep '<title>'<title>Test Page for the Nginx HTTP Server on EPEL</title>$ curl -s -H"Host: www.kuaiyong.com" 117.121.11.32 grep '<title>'<title> 快用苹果助手 </title>
结论
由于太极的下载链接托管在了 iphonespirit.com 上,我们有理由相信太极和国内某公司或某公司投资的某些公司有某种联系。
再由于太极的 JS 资源托管到了 pingguoyingyong.com 上,我们有理由相信太极和快用助手有某种深层次的合作。还有另外一种可能太极只是快用助手的马甲。
PS:
现在打开 bbdown.iphonespirit.com,你会发现一段告示,看来已经被黑了:
致某公司
谢谢你送我们的圣诞白苹果
谢谢你送我们的捆绑太极助手
既然你们有钱和 Evad3rs 合作,再出个服务好不?白苹果了直接送台新的
这次真的很失望,因为你们已经背叛了越狱的初衷
不要继续挑战用户的底线了好吗?
相关文章
