Abstract: 本文通过常用的社会工程学手段试图还原太极助手这一 iOS 7 Jailbreak bundle 的中国产 AppStore 后面的支持者。
$ whois taig.com
Domain Name: TAIG.COM
Registry Domain ID: 5070333_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-11-05 18:27:16
Creation Date: 1999-04-06 23:00:00
Registrar Registration Expiration Date: 2015-04-06 23:00:00
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: zhou shengjin
Registrant Organization:
Registrant Street: Beijing changping district changping road
Registrant City: Beijing
Registrant State/Province: beijing
Registrant Postal Code: 100096
Registrant Country: China
Registrant Phone: +1.8811225068
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: nomas.chow@gmail.com
Registry Admin ID:
Admin Name: zhou shengjin
Admin Organization:
Admin Street: Beijing changping district changping road
Admin City: Beijing
Admin State/Province: beijing
Admin Postal Code: 100096
Admin Country: China
Admin Phone: +1.8811225068
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: nomas.chow@gmail.com
Registry Tech ID:
Tech Name: zhou shengjin
Tech Organization:
Tech Street: Beijing changping district changping road
Tech City: Beijing
Tech State/Province: beijing
Tech Postal Code: 100096
Tech Country: China
Tech Phone: +1.8811225068
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: nomas.chow@gmail.com
Name Server: NS3.DNSV4.COM
Name Server: NS4.DNSV4.COM
显然的, taig.com 是一个足够老的域名。这个域名里的联系电话, +1.8811225068 应为 +86-18811225068. 这是我们的线索之一。地址『北京市昌平区昌平路』与手机号码归属地北京相匹配。 Email 地址则是另一个有效的线索。
$ host www.taig.com
www.taig.com has address 211.155.82.248
www.taig.com has address 203.191.148.133
www.taig.com has address 42.62.21.140
www.taig.com has address 42.62.21.141
www.taig.com has address 42.62.21.142
www.taig.com has address 42.62.21.143
www.taig.com has address 42.62.21.144
www.taig.com has address 211.155.82.233
看这势头,不像是什么小公司的基础设施。 whois 得到的结果令人失望,因其均指向了各个数据中心,而 bgp.he.net 并没有给出更多的信息。
$ curl -s www.taig.com|grep -Eo "http://[^\"']+"
http://bbdown.iphonespirit.com/site/image/logo.ico
http://js.pingguoyingyong.com/taiji-home/css/style.css
http://bbs.taig.com
http://www.taig.com/archives/category/news
http://static.youku.com/v1.0.0334/v/swf/player_yk.swf
http://static.youku.com/v1.0.0334/v/swf/player_yk.swf
http://www.adobe.com/go/getflash
http://bbdown.iphonespirit.com/ios/7/TaiG_JailBreak_iOS7_ForWin_v1.0.zip
http://bbdown.iphonespirit.com/ios/7/TaiG_JailBreak_iOS7_ForMac_v1.0.dmg
http://www.taig.com/archives/category/news
http://www.taig.com/archives/548
http://bbdown.iphonespirit.com/site/docpic/2348.jpg
http://www.taig.com/archives/548
http://www.taig.com/archives/548
http://www.taig.com/archives/253
http://www.taig.com/archives/251
http://www.taig.com/archives/249
http://www.taig.com/archives/247
http://www.taig.com/archives/241
http://www.taig.com/archives/239
http://www.taig.com/archives/237
http://www.taig.com/archives/233
http://js.pingguoyingyong.com/taiji-home/js/build.js
这一次的结果则看起来很有意思。下面是一些域名的 whois 信息备份。
$ whois pingguoyingyong.com
Domain Name: PINGGUOYINGYONG.COM
Registry Domain ID: 1701302087_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-02-04 05:56:33
Creation Date: 2012-02-09 09:52:46
Registrar Registration Expiration Date: 2015-02-09 09:52:46
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: John Lennon
Registrant Organization: Apple Application INC.
Registrant Street: China
Registrant City: guangdong
Registrant State/Province: baiyun
Registrant Postal Code: 000000
Registrant Country: China
Registrant Phone: +86.138000138000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fidate@gmail.com
Registry Admin ID:
Admin Name: John Lennon
Admin Organization: Apple Application INC.
Admin Street: China
Admin City: guangdong
Admin State/Province: baiyun
Admin Postal Code: 000000
Admin Country: China
Admin Phone: +86.138000138000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: fidate@gmail.com
Registry Tech ID:
Tech Name: John Lennon
Tech Organization: Apple Application INC.
Tech Street: China
Tech City: guangdong
Tech State/Province: baiyun
Tech Postal Code: 000000
Tech Country: China
Tech Phone: +86.138000138000
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: fidate@gmail.com
Name Server: F1G1NS1.DNSPOD.NET
Name Server: F1G1NS2.DNSPOD.NET
经查,此域名的邮箱拥有另一个域名,idestop.com。邮箱的主人早在 2006 年便并聚在了在北京市一个名为『新龙城』的社区内。
$ whois iphonespirit.com
Domain Name ..................... iphonespirit.com
Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.
Name Server ..................... ns3.dnsv4.com
ns4.dnsv4.com
Registrant ID ................... whois-protect
Registrant Name ................. WHOIS AGENT
Registrant Organization ......... DOMAIN WHOIS PROTECTION SERVICE
Registrant Address .............. 3/F.,HiChina Mansion,No.27 Gulouwai Avenue
Dongcheng District,Beijing 100120,China
Registrant City ................. Beijing
Registrant Province/State ....... Beijing
Registrant Postal Code .......... 100120
Registrant Country Code ......... CN
Registrant Phone Number ......... +8610.64242266
Registrant Fax .................. +8610.84138796
Registrant Email ................ domainadm@hichina.com
Administrative ID ............... whois-protect
Administrative Name ............. WHOIS AGENT
Administrative Organization ..... DOMAIN WHOIS PROTECTION SERVICE
Administrative Address .......... 3/F.,HiChina Mansion,No.27 Gulouwai Avenue
Dongcheng District,Beijing 100120,China
Administrative City ............. Beijing
Administrative Province/State ... Beijing
Administrative Postal Code ...... 100120
Administrative Country Code ..... CN
Administrative Phone Number ..... +8610.64242266
Administrative Fax .............. +8610.84138796
Administrative Email ............ domainadm@hichina.com
Billing ID ...................... whois-protect
Billing Name .................... WHOIS AGENT
Billing Organization ............ DOMAIN WHOIS PROTECTION SERVICE
Billing Address ................. 3/F.,HiChina Mansion,No.27 Gulouwai Avenue
Dongcheng District,Beijing 100120,China
Billing City .................... Beijing
Billing Province/State .......... Beijing
Billing Postal Code ............. 100120
Billing Country Code ............ CN
Billing Phone Number ............ +8610.64242266
Billing Fax ..................... +8610.84138796
Billing Email ................... domainadm@hichina.com
Technical ID .................... whois-protect
Technical Name .................. WHOIS AGENT
Technical Organization .......... DOMAIN WHOIS PROTECTION SERVICE
Technical Address ............... 3/F.,HiChina Mansion,No.27 Gulouwai Avenue
Dongcheng District,Beijing 100120,China
Technical City .................. Beijing
Technical Province/State ........ Beijing
Technical Postal Code ........... 100120
Technical Country Code .......... CN
Technical Phone Number .......... +8610.64242266
Technical Fax ................... +8610.84138796
Technical Email ................. domainadm@hichina.com
Domain Create Date .............. 2013-03-29 19:54:24
Expiration Date ................. 2014-03-29 19:54:24
虽然这个域名有 whois protect,但依然可以进一步的进行 DNS 分析。
$ host bbdown.iphonespirit.com
bbdown.iphonespirit.com is an alias for bbdown.iphonespirit.com.51ccdn.com.
bbdown.iphonespirit.com.51ccdn.com is an alias for c01.i08.sisyun.com.
c01.i08.sisyun.com is an alias for c01.i08.cncsd.hadns.net.
c01.i08.cncsd.hadns.net has address 61.156.242.76
c01.i08.cncsd.hadns.net has address 60.210.10.77
c01.i08.cncsd.hadns.net has address 61.156.157.183
随手一搜索,我们可以发现『苹果核』使用的分发域名便是这个域名。而苹果核使用了 360 的核心,不得不让人有某些联想。
$ host js.pingguoyingyong.com
js.pingguoyingyong.com has address 117.121.11.32
接下来,我们搜索这个 IP 地址则得到了一个惊奇的发现
$ host www.kuaiyong.com
www.kuaiyong.com has address 117.121.11.16
经查,海外解析地址为 .16,国内解析地址为 .32
$ curl -s --head -H"Host: www.kuaiyong.com" 117.121.11.32
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 22 Dec 2013 22:40:11 GMT
Content-Type: text/html
Content-Length: 9268
Last-Modified: Thu, 19 Dec 2013 05:47:21 GMT
Connection: keep-alive
Accept-Ranges: bytes
$ curl -s -H"Host: nosuchhost.com" 117.121.11.32 | grep '<title>'
<title>Test Page for the Nginx HTTP Server on EPEL</title>
$ curl -s -H"Host: www.kuaiyong.com" 117.121.11.32 | grep '<title>'
<title> 快用苹果助手 </title>
结论
由于 TaiG 的下载链接托管在了 iphonespirit.com 上,我们有理由相信 TaiG 和 360 或 360 投资的某些公司有某种联系。由于 TaiG 的 JS 资源托管到了 pingguoyingyong.com 上,我们有理由相信 TaiG 和快用助手有某种深层次的合作,或曰 TaiG 只是快用的另一个马甲。
你们将为你们的无知和狂妄而流下悔恨的眼泪,而这些,我都将作为我科学事业道路上的绊脚石。 —— 大锑赵明毅
Comments