Recently affected by the World Cup, we sinesafe received a lot of small and medium-sized enterprises website is xxx*** tampering with the snapshot content of the site security issues caused by the open site is prompted xxx page, in the search engine will be prompted Baidu website Security Center reminds you: the page may have been illegally tampered with! Main customer Web site problems are basically repeated nature of tampering, manual cleanup Remove code can only solve the current problem, not a few days later was tampered with the content, and often tamper with the top of the home code.
1. Site snapshot hijacking problem analysis and solution processing process
Below we analyzed the customer website, the customer is the Linux system individual server, the website uses is the Discuz Forum program +uchome (php+mysql database architecture) because the customer's website in Baidu weight is very high and the weight is 6, therefore the Baidu collects the page also is the second collects, The site keyword ranking is also very front. Web site was tampered jump to xxx, and included some XXX content snapshot xxx problem, plagued the customer for a full three years, is always repeatedly tampered with jump. And these web site tampering is very strong, from Baidu search engine searching over the mobile phone users, will jump directly to the XXX site, directly in the input URL will not jump. From our years of experience in Web site security maintenance, this XXX is deliberately made a browser judgment, to let the site jump to xxx, so that the site's administrator can not find the trail to be jumped, through our Sinesafe Security Audit department technology, the site's comprehensive security detection and code security Audit, Discover the code of the customer site, there is any file upload vulnerability, resulting in the file name can be bypassed suffix format, so as to upload Web site script xxx, to tamper with the website content of XXX purposes. The code of the xxx file uploaded by the website is as follows:
In the upload of this upload code can be seen, the code does not have access to the user's upload file format to judge, causing the VIP user to open the page can upload files, in the file upload at the same time not detailed to the upload file format to judge, resulting in the upload php script executable file. Strictly speaking, this is can upload php script xxx Up, also called Webshell script Xxx,webshell Popular speaking, is a can control the site of all the content of a script xxx can code, read and write, upload and tamper. By uploading the Web site backdoor files found that the site was xxx*** before 2017, * * * the way is through any upload vulnerability, upload php script xxx to the site, and execute open phpxxx, with the permission of the site, and then to the Linux server to raise power, Implant system back door to the bottom of the system, to achieve hidden purposes, the naked eye can not detect any abnormalities, when XXX needs to connect the server, the kernel-level Linux backdoor will start, and with the IP of xxx tcp connection, XXX may bypass the root authority, directly remotely modify any information on the server.
We in its server in-depth security detection, the discovery of Apache arbitrary view of the Web Site Directory file vulnerability, in the previous security detection of the site found that the site has a level two directory file, you can arbitrarily view the file directory, including sensitive background directory files, as well as other related sensitive files.
Find the website of the backdoor xxx, the path of the website XXX code is:
/ucenter/data/cache/app_bads1.php
MySQL connection xxx, such as:
XXX can tamper with the database of the website through the XXX backdoor.
ucenter/data/avatar/000/61/78/z.php
z.php Cdaiao function called the xxx backdoor.
ucenter/data/tmp/upload71494.php
Hijacked Baidu snapshot of xxx, open code in the IP address is always color and XXX content. Look at the site before the collection, see the site also included in the content of the always-color Related:
Site is included in a lot of colorful pages, resulting in a rapid decline in the site weight! The impact on customers is also very large.
2. Site snapshot hijacking problem of website bug fix scheme and prevention
The security of the site detection, found a very important 2 Web site vulnerability, we sinesafe security technology to the site to repair and strengthen the vulnerability, the specific repair method is: All the code to retrieve, in the site of the upload function detection, Found that the code was written without the uploaded file format for strict filtering and judgment, the code to repair the PHP file to filter the upload, or set the white list mechanism, can only txt,jpg,mp3,rar, and other formats of the file. We have uploaded the directory nd_data, deployed the site anti-tamper deployment, prohibit uploading PHP script files, only upload txt.
Apache arbitrary view site Directory file bug fix:
In the previous security detection of the site found that the site has a level two directory file, you can arbitrarily view the file directory, including sensitive background directory files, as well as other related sensitive files.
Website bug fix:. htaccess file
Write to the following content.
<files *>
Options-indexes
</Files>
1. Check the server logs periodically to check for suspicious access to non-foreground pages.
2, often check the website file whether there is abnormal modification or increase.
3, the attention of the operating system, and the use of the program's official website. If a security update patch appears, you should deploy it immediately, without the official version that is no longer actively maintained, and, if conditions permit, recommend updating to the latest version directly, and follow the guidelines for security settings published by the building station program.
4. System vulnerabilities may originate from third-party applications, and it is recommended to carefully evaluate their security if the site uses these applications.
5, modify the open source program key files of the default file name, XXX usually by automatically scanning the existence of certain files in a way to determine whether a program is used.
6, modify the default administrator user name, improve the password strength of management background, use letters, numbers and special symbols of a variety of combinations of passwords, and strict control of different levels of user access rights.
7, select the power to protect the host service provider.
8. Close unnecessary services, and ports.
9. Close or restrict unnecessary upload functions.
10, set up firewalls and other security measures.
11, if the problem is repeated, it is recommended to reinstall the server operating system, and re-upload the backup web site files.
12, for the lack of professional maintenance staff of the website, recommended to the Professional security company consultation, domestic recommendation Sinesafe, Green Union and other professional.
Site was * * * LED Baidu snapshot was hijacked jump to XXX page solution