The experience of a Web site being hacked

I have heard that XXX website has been hacked, but I did not encounter, August 1, the day I visited the site suddenly appeared the following interface: 650) this.width=650; "Src=" http://s3.51cto.com/wyfs02/M00/ 45/be/wkiom1pqxjdigcdmaae4d0hr-fy841.jpg "Title=" was hacked after the site. png "alt=" wkiom1pqxjdigcdmaae4d0hr-fy841.jpg "/> My God, this problem, the site was attacked by hackers, hurriedly login to the server, fortunately, the server password has not been changed, log in, looked at the site of the file modification date, problems arose, the root of the site below how to come out a few inexplicable files,

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/45/BF/wKioL1PqyNOA2G_FAACRZHwsvRk844.jpg "title=" A program that has been hacked. png "alt=" wkiol1pqynoa2g_faacrzhwsvrk844.jpg "/>

and is a few executable files, look at the date of the file, exactly August 1, and there is an HTML file inside the source code, and the above page of the code, it is determined that this must be a hacker to make a ghost, strange, he is how to enter, see if you also create a hidden account, Sure enough, more than a baffling user, with net user GTE (this user is the hacker created account) to view the properties of this account, was created August 1, the problem was found, the next in the Event Viewer to read the next log, re-find all the changes in the August 1 file, The hidden files are deleted, the account is also deleted, and then enabled on the machine IPSec policy, only allow the specified machine login server, the server password complexity strengthened, this encounter let me on security issues and have a very high vigilance, clear these files and account information, Restart the server, the Web site access is OK.

This article is from the "3146020" blog, please be sure to keep this source http://3146020.blog.51cto.com/3136020/1539254