How to prevent and solve the problem of the website is Hung horse

Tip: I am here to discuss the blog has recently been an example of ARP attack, annoying to death. The manifestation of the site by the IFRAME Hanging horse, pop-up a large number of pornographic sites, the problem appeared 11 hours, these 11 hours in the blood and tears of exploration to solve.

Preface: If you are from search engine search here, I believe you must be very anxious, nonsense not to say, straight into the subject. The rest of the sentiment I moved to the end of the article said.

I am here to discuss the blog has recently been an example of ARP attack, annoying to death. The manifestation of the site by the IFRAME Hanging horse, pop-up a large number of pornographic sites, the problem appeared 11 hours, these 11 hours in the blood and tears of exploration to solve.

How to Judge Arp attack

A server almost all Web pages open HTML are automatically added such as this style of code, and some in the head, some in the tail, some anti-virus software open will report poison, open HTML or ASP, PHP page, in the source code how can not find this section.

First of all, you can build an HTML file uploaded to the server, open through the Web site, such as found that the file added to the IFRAME code that description of the recruit.

Solutions

First method: Check the IIS document footer

Note that the red box, no special case the document footer is not enabled, if you see here tick and point to a local HTML file, you can open point to the local file to see if the Trojan virus code.

Second method: Check the MetaBase.xml file

MetaBase.xml is a configuration file in IIS, located at:

C:\WINDOWS\system32\inetsrv\MetaBase.xml

Check to see if the following code is added:

accessflags= "AccessRead AccessScript"

Appfriendlyname= "Default Application"

Appisolated= "2"

approot= "/lm/w3svc/81120797/root"

authflags= "AuthAnonymous authntlm"

Defaultdocfooter= "File:c:\windows\system32\com\iis.htm"

Defaultdocfooter= behind the general is with a local file, Trojan virus is here, this paragraph can be deleted.

Special Note: MetaBase.xml cannot be modified directly, you need to stop the IIS service to modify it, or right-click the local computer in IIS Manager-select Properties, check "Allow direct editing of the metabase" so that you can edit the MetaBase.xml file without stopping IIS.

Third method: Check ISAPI filters

At present, these DLLs loaded files, any anti-virus software and Trojan horse software can not be effectively found and killed, but also by the naked eye to achieve. So the method is also very simple:

Open IIS, right-click the Web site, properties-Find the ISAPI tab and check to see if there are any more unfamiliar DLL files. If a new DLL is removed, restart IIS.

The Fourth way: check the Global.asa Trojan

Explain the function of this code first: Because the Global.asa file is the file that the website launches, when a website is accessed by the user, will execute the content of Application_Start code snippet, when a user accesses the first time will execute the content of Session_Start code section , so the role of this code is when access to automatically download the Trojan content, the above is a jump to the role of the Trojan code.

Global.asa Trojan as usual will not affect the normal operation of the site, hackers as usual exercise Global.asa Trojan is not to destroy the operation of the site, they are similar to the Web site black chain, as usual is the site of the search engine included a particularly bad impact. Often reflected in the search engine contains a large number of inexplicable web site topics, and these topics are definitely not the content of their own web site, click on the link to enter the site is still the page, but the topic is different, click Baidu Snapshot found Baidu reminder: "Sorry, you are not allowed to view the Web page can be You can directly access So-and-so URL, yes! This shows that your site has been recruited! It's the direct result of the site in the search engine ranking landing or completely dissipated, the tension will also allow visitors to visit your site when the computer poisoning!

Global.asa this file is generally in the root directory, the system file can only be forced to delete under the cmd command. If you do not delete the words you can find your own space business to let them to you delete this Trojan.

Special Note: None of the above methods work

The above mentioned methods of arp attack, are searched from the Internet, all methods at least repeated three times, but the problem is still unresolved, and later learned that the IFRAME is implanted in two cases:

One is that someone has tampered with your IIS, either by looking for a modified profile or by simply reloading it.

Second, if you reload or not resolved, that is ARP spoofing attack, and you the same server LAN section of other servers have problems, install ARP firewall and to network management reflects this situation. Solve this problem to use the elimination method to find the real reason, the right remedy:

Spent a lot of time to troubleshoot, a full delay of 11 hours, after the epiphany, thought it was their own server problems, did not think is the LAN section of other servers. A 360ARP firewall was installed behind to resolve the problem.

Extended reading:

ARP Spoofing principle:

In the LAN, the IP address must be converted to the second level physical address (MAC address) by the ARP protocol before communication. ARP protocol is of great significance to the network security, but the design of the ARP method did not take into account the excessive security problem, which left a lot of hidden trouble for ARP, ARP deception is one example. ARP spoofing attack is to exploit this protocol loophole, and realize ARP spoofing attack technology by forgery MAC address.

Computers in the same LAN are communicated through MAC addresses. Method for, PC and another device communication, the PC will first look for each other's IP address, and then through the ARP table (ARP table has so can communicate IP and IP corresponding MAC address) call up the corresponding MAC address. Guangzhou Middle-dimensional tax http://101.1.28.14/communicate with each other via MAC address. That is to say, in the intranet, each device is looking for and communicating with a MAC address, not an IP address.

Any machine in the net can easily send ARP broadcast, to claim its own IP and its own Mac. The machine that receives this will create an ARP entry in its own ARP form that records his IP and MAC address. If this broadcast is wrong, other machines will also accept it. With this method of deception only need to do a software, you can in the LAN for ARP spoofing attacks.

The discovery of ARP:

The common problem of ARP is to drop line, on the basis of drop line can be judged by following several ways, 1. In general, do not need to deal with 1 minutes to return to normal Internet. Because the ARP spoofing is by the time limit, after the deadline will automatically return to normal. And now most routers will be in a very short period of time to broadcast their correct ARP, so that the deceived machine back to normal. But if the attack ARP spoofing (in fact is a very short amount of time a lot of cheating arp,1 seconds have a hundreds of thousand), he is constantly through the non-Shanghai Kaidi finance and taxation http://101.1.20.46/often a large number of ARP deception to prevent intranet machines online, Even if the router keeps broadcasting the correct package, it will be flooded with a lot of misinformation. 2. Open the DOS interface of the deceived machine, enter the ARP-A command will see the relevant ARP table, through the view of the Gateway MAC address can be to determine whether ARP spoofing, but due to the time limit, this work must be completed before the machine back to normal. If there is a deception problem, the ARP table will appear in the wrong gateway MAC address, and the real Gateway Mac a pair of black and white points.

The following is a few ARP firewall to use the feeling:

Safe dog

My first thought is that the security dog, in the server this piece is very famous, ARP attack, I installed the first time, this is my sad urge to start. Installed software, point "physical examination", I thought it was a trojan to restart, the results of the server can not open the machine, repeatedly several times, I realized this is not antivirus, but the server shutdown.

Due to the weekend, IDC on duty fewer people, repeated shutdown, the boot wasted a full 4 hours. Finally understand that it should be the security dog and the server what conflict caused by something.

D Shield

Several of my friends recommended D Shield, especially his web killing tool, which was able to examine in great detail whether every program file was hung on a horse. It was with this tool that I realized that the Lou blog program was fine,

360ARP Firewall

Above all two have ARP firewall, installed after found that no one is useful (perhaps not use of the relationship), after the 360ARP, the iframe hanging horse immediately disappeared. To determine if I can use it, I repeatedly start and close the software several times to make sure that 360ARP does work.

Through the tracking ARP attack source, send Beijing good still finance and taxation http://101.1.28.35/is now the same LAN under another server always send me ARP spoofing request, after the IP search domain name, through the domain name found the mail, sent her an email to tell her server was black.

Strongly recommend 360ARP, help me solve the big problem:

Written at the end:

Say 1000 10,000, or server security do not in place, Zsx told me: You blog really black, through the log to find a variety of scanners.