Review and analysis of rogue youth blogs

The blog was intruded the day before yesterday and the homepage was modified.

The intrusion traces have been sorted out in the past two days.

The so-called people are floating in the rivers and lakes, how can they not get a knife?

I haven't had a high profile for a long time, and I don't have a Japanese site.

How can I hate it? I changed my homepage.

As for this question, I will not explore it. Today, I will mainly review the blog process by day.

There is nothing to lose face when a blog is intruded. you can calm down and analyze the reasons. And then climb up.

 

00X01 cause

 

Woke up by the lover's heart addiction,

 

At that time, I was still asleep, and I had no network at home, so I couldn't eat breakfast and rushed to my classmates to check the website. The home page was suddenly changed and the words were highlighted, this is also a high-profile hacker. If you find that your website has been intruded into, do not be flustered, or immediately restore the website. First, close the home page and view the logs, and find the records of intruders to view the logs, attackers can detect website vulnerabilities and sniff them. The analysis is: Side noteCome in. At that time, I did not expect that the website was set too high for server permissions, leading to the fall of the website... 00X02 Process Review

 

He contacted the intruder and sent the intrusion process to me.

After authorization, I sorted out some sensitive information and sent it out.

Start.

Tip: the pink text is the original saying, and the deep red is the blogger

The main site looked at it and used the password sent by the social worker to log on to the background of the youth in exile. Wp program, there is no 0 day in hand, simply look at the side station:

I scanned the directory with Yu Jian, and most of them were wp programs. The scan results showed a page like this: from here, intruders have mastered the basic server information and website directory architecture/*****/domains/lzdell.com/public_html/. After a while, they will scan the website file decompressing page: the hacker will try uploading the script. Zip to indicate that the upload is successful, but no access permission

 

Scan a very likely sentence,

 

 

Kitchen Knife decisive connection:

Enter sb for the password. According to the feedback from the kitchen knife, it is not a sentence.

 

Scan the website to discover new things

 

 

Built on experience

 

 

Use shell directly through V2.1 Vulnerabilities

 

 

Run the following command in shell:

Cd/www.2cto.com/xxxco/domains/xxx.com/public_html#la-la

 

Column-level site directory.

To see if you can copy one sentence to this website:

Execute in Shell

Cp-f/***/cncc/domains/***/public_html/ck. php/home/***/domains/***/public_html; ls-la

 

 

It seems to have failed. Verify the following:

Run:

Cd/***/lzdellco/domains/***/public_html; ls-la

No new. php found, indicating that it failed.

Then let's see if we can read the content of the file on the site:

Run:

Cd/***/xxxco/domains/xxx.com/public_html/data‑cat config. php

 

The rest is to guess the path of the target station, then list its directory, find the configuration information to read the content, or find the database path to download and crack its password. I thought of a log file that reads ftp login information, copied it, saved it to a local txt file, opened the search gov,

Failed to log on to ftp with the password previously specified.

Then the path is ready, haha. Direct Column

 

 

 

00X03 post

At that time, when my blog was intruded into by the day, I was not angry, but worried that the website data was still absent and the article was absent.

I wrote a blog to share and exchange technologies with you. No profit.

I was relieved to see that the website was changed only on the homepage and the data was intact.

In fact, thanks to CK's detection, I found a website security issue. If other unfriendly people put my website on the shelf, I am heartbroken ~

Finally, I would like to thank you for your support and welcome colleagues interested in blog detection. I would like to tell you that I just want to give you a quality learning environment.