2018.6.19 received a new customer to reflect their own website was hacked, the homepage of the site was xxx tampered with, the site home was added some content with the site does not match the code, resulting in Baidu website Security Center reminds you: the page may exist XXX virus! The website in Baidu's collection and the snapshot also was hijacked into what World Cup betting, as well as xxx,xxx and so on content, according to the above customer to us to reflect the website to be black question, We sine security company immediately arrange security technical personnel to the customer website is black The situation carries on the detailed website security inspection and the Code manual security Audit, discovers the customer website front is often tampered with, the customer can only delete the homepage file, then regenerates the homepage, is actually repeatedly tampered with no way, To find us sine security company to deal with the security of the site.
I. Analysis of the situation of the website being hacked
1. The customer's website uses is, weaves the Dream dedecms system (PHP+MYSQL database structure), the DEDECMS flaw in recent years is actually bursts out too many, but now uses DEDECMS to do the website as well as the platform also many, General enterprise Station or to optimize the ranking of the site are using this dream-weaving program to do, optimization fast, access speed is fast, the entire station can be static file generation, easy to manage the update of the article, but also facilitate the opening of the website speed, as well as the optimization and promotion of keywords. Through the communication with the customer to find the customer's website, as long as the release of new articles, and in the background to generate new HTML pages, or generate home page index.html, will be xxx directly added some encryption code and XXX content, picture as follows:
Web site was tampered with what is added something, Speed Racer, xxx,xxx, XXX, World Cup betting and the site is not related to the content, and this site code also made a JS judgment jump, for Baidu search to the customer, will jump directly to this speed Racer, xxx, xxx page, led to 360 tips XXX site interception, Baidu tips risk interception picture as follows:
Website in Baidu search will direct risk hint: Baidu website Security Center reminds you: this page may exist xxx virus.
Through the security inspection of all the code of the customer's website and the manual security audit of the code, it is found that the content of the homepage index.html is tampered with and found that the index.htm file under the Dedecms template directory file has also been tampered with.
Let's open the index.htm template file and look at the code:
The following section of code is encrypted JS jump code, is based on Baidu search and other corresponding conditions, to judge, and then jump, directly enter the site domain name will not jump.
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"] "\x77\x72\x69\x74\x65";
The above to find some encryption code, with the decryption of the code to find that some xxx and XXX related content, we have generated the home page was tampered with the content directly deleted, and then the site of the XXX virus, as well as the xxx back door to clean, and do a good job site vulnerability detection and repair, Deploy Web site anti-tampering scenarios.
Two. The website is logged by the Black cleanup process
1. After the security audit of the sine security technology, the site found in the security process of the root directory of the datas.php file content belongs to the type of assert xxx.
Then since found that there is a sentence xxx, that must be the existence of PHP script xxx, and then found in the CSS directory has a file is encrypted code, we visit the XXX address, made a visit to find is really xxx virus, where the picture is as follows:
The PHP script XXX operation permissions is too large, the file editing and renaming, as well as executing malicious SQL statements, viewing the server's system information can be seen very clearly. On the site of all the program code, the XXX feature scan, found n web site xxx files, No wonder the customer said repeatedly appeared to be black, the site was tampered with is about to vomit blood. Scan to the XXX virus as shown:
So many scripts xxx backdoor, our security technology directly carried out all clean-up, because the customer site with a separate server. Then the security of the server also need to carry out detailed security hardening and site security, to view the Web site of the MySQL database, assigned to the site using root permissions, (with root administrator privileges will cause the entire server will be black, added xxx Risk) We have added a normal database account to the client server to the site, the database port 3306 and 135 port 445 port 139 ports have been deployed port security policy, to prevent all external network connection, only allow intranet connection, the server has detailed server security settings and deployment, Follow-up on the site of all the files, code, images, database content, conducted a detailed security detection and comparison, from SQL injection testing, XSS cross-site security testing, form bypass, file Upload vulnerability test, file contains vulnerability detection, Web page hanging horse, Web backdoor xxx detection, including a word pony, ASPX big horse, script XXX backdoor, sensitive information leak test, arbitrary file read, directory traversal, weak password security detection and other aspects of a comprehensive security detection, and bug fixes, so that the customer site is black problem can be solved perfectly. Since the average customer has been tampered with two or three times a day, from doing a security deployment to today 20th, the customer site access is normal, not tampered with
Three. Recommendations for protection against the site being hacked
1. Regular update server System Vulnerability (Windows 2008 2012, Linux CentOS System), website system upgrade, as far as possible not applicable to third-party API plug-in code.
2. If you do not know the program code too, it is recommended to find a website security company to repair the vulnerability of the site, as well as code security detection and XXX backdoor clearance, domestic recommended sine security company, Green Union Security company, Venus Chen and other website security company, do in-depth website security services, To ensure the safe and stable operation of the website, to prevent the site is hanging horses and other security issues.
3. Try not to set the password of the background users of the site too simplistic, to conform to 10 to 18-bit uppercase and lowercase letters + numbers + symbol combination.
4. Site management path must not be used by default admin or Guanli or manage or file name is admin.asp path to access.
5. The basic security settings of the server must be done in detail, the security policy of the port, the security of the Registry, the security of the underlying system, or the server is not secure, the site is no longer safe.
How to resolve the home page old was xxx tampered with and was Baidu Security Center interception prompted the existence of XXX virus the actual process