What to do if the website is attacked

Source: Internet
Author: User
Tags hosting vps wordpress version

With the development of Internet, more and more people begin to realize the superiority of network propaganda. Large and small sites abound. However, with the increase in the number of sites, the problem has increased greatly. Competition between peers is also reflected in the network. Some criminals also gradually shifted their positions to the network for profit. Peers often hire hackers to suppress opponents attacking each other's website, and even some people deliberately attack someone else's website for protection fees. Attack you without giving money, and make your website paralyzed. For these kinds of things, the main site is often to seek help without a door anxious, forced to compromise.

Webmaster in the station to do the project should encounter similar problems, although we diligently to do their own station, but suddenly one day will find our site suddenly was black, this time as long as we open their site when the picture in front of us will often let us collapse unceasingly, At this time, the hearts of the webmaster is definitely hate tooth itch, but there is no way we do not provoke others, others do not necessarily do not provoke us, although the heart is very uncomfortable, but the problem also needs to be solved.

  site attacks are generally divided into 3 categories, namely ARP spoofing attacks, CC attacks, DDoS traffic attacks .

  First, say ARP spoofing attack

If an ARP spoofing attack is to be initiated, the first thing to do is to control the Web site for the same computer room, the same IP segment, and the same VLAN, using the intrusion server method. After taking control, use the program to disguise the controlled machine for the gateway to spoof the target server. Such attacks typically sneak into the Web page or intercept some user names and passwords. It is easier to deal with this kind of attack, directly inform the computer room to handle the corresponding controlled machine.

  Second, CC attacks

Relatively speaking, this attack is more harmful. The host space has one parameter for IIS connections, and the Web site has a service unavailable when the visited web site exceeds the number of IIS connections. An attacker would be to use a controlled machine to continually send access requests to the attacked website, forcing IIS connections to exceed the limit, and when CPU resources or bandwidth resources are exhausted, the site is destroyed. For hundreds of trillion of attacks, the firewall is quite laborious, and sometimes even caused the firewall to run out of CPU resources, resulting in a firewall panic. More than hundred trillion, operators will generally be in the upper route to seal the attack IP.

For CC attacks, the general lease has anti-CC attack software space, VPS or server can be, or rent octopus host, this machine for CC attacks better defense.

  Third, traffic attack

is a DDoS attack, which is the most harmful of these attacks. The principle is to send a large number of packets to the target server, occupying its bandwidth. For traffic attacks, simply adding a firewall is useless and must have enough bandwidth and firewalls to work together to protect against it. If you want to defend against a 10G traffic attack, you must use approximately 20G of hardware firewall plus nearly 20G of bandwidth resources. If the cost of a hard-to-prevent machine is quite high, the 10G hard defense will be tens of thousands of yuan one months. However, if you use cluster protection (Octopus host), then the cost will be much lower.

  The website has been attacked, how should we solve it?

  First look at the server for the Web site

When we find that the site is attacked not excessive panic, first look at the Web server is not hacked, find out the black chain of the site, and then do the site's security defense, the specific operation is divided into three steps

1, turn on the IP-forbidden Ping, can prevent being scanned.

2. Close the ports that you do not need.

3. Open the firewall of the website.

These are only anti-simple attacks, if you feel too troublesome that can search (red Shield free against attack), when attacked, look for the above technician, there is free to help you fight the attack service.

  Why the website is hacked

Website Hanging Horse is the most headache of each stationmaster problem, the individual thinks the website is black The reason generally divides into two kinds of

First, the security of the server space quotient has been implicated in two, = species is the security of the website program itself security loopholes were hacked to be hanged. If you have the conditions, you can find a professional to do a safe visit. Company words can go to sine security See listen to friends say good. In general, there is a vulnerability in the Web site program or the server has been vulnerable to attack.


1. In the program it is easy to find the code of the horse, directly delete, or you do not pass the server's source program coverage once but repeatedly hung to be in depth to solve the problem. But this is not the best solution. The best way is to find a professional programmer to solve is the most direct.

Clear Horse + fix vulnerability = completely solve the so-called hanging horse, is heike through various means, including SQL injection, Web site sensitive file scanning, server vulnerability, website program 0day, and other methods to obtain the webmaster account, and then log back to the site, through the database backup/restore or upload a vulnerability to get a webshell. Use the obtained Webshell to modify the content of the Site page and add a malicious steering code to the page. You can also directly through the weak password to obtain the server or Web site FTP, and then directly to the site page directly modified. When you visit a page that has been added to malicious code, you will automatically be directed to the address being turned to or download the Trojan virus.

The above can be used Netstat-an cmd command can see countless TCP links, IP are not the same, because my CPU is single-core, not anti-defense, is really thin, can't fight, I directly on the IIS to unbind the attack domain name, make the resource permanent jump to another domain name, But did not persist for how long, was the other side saw through, the new jump domain name is still attacked!

Web server also installed a server security dog, the site IIS security dog, occasionally can resist, before is the default settings, and then asked a master, before also has been defensive level not set, should be such settings, set after the obvious below the CC attack withstand more,

After the setting is the prompt click in to access, although not conducive to SEO, but always better than not open, can defend the attack of the machine!

Another is that we can try a variety of cloud accelerated domain name resolution, there are certain effects, I have also looked for, Baidu cloud acceleration, the domain Name resolution server address modification bit Baidu on the line, I defended a period of time, the effect is very good, do not know how to go, the next day may be increased attack, or CPU 100%, In addition, a lot of acceleration servers need to record, before I this site did not record, suddenly change space and so on are limited!

Later the website has been in intermittent state, until my record down, changed a friend's server, 8-core, the attack is crazy, the CPU is about 50%, attacks for a few days, the back seems to have no context, here there is a temporary session for me, a very funny dialogue, not for everyone announced!

Built station one months ago, 2 consecutive hacking attacks, but because of the new version of the WordPress program, password strength, security settings, high permissions, so despite the 2 attacks, but the hacker has not succeeded. Attached below is a September 29, 2014 Hacker attack:

  SEO Academy-Hacker attack

As can be seen, the hacker first in the SEO Academy, registered a user name, and then landed into the station, and finally try to post in the message, the use of code to try to break through the site management rights, and then a total of 42 attempts, have not succeeded. Through this hacker attack behavior, as the small and medium stationmaster of us, should how to respond, the following is my summary of the prevention of hacker attacks 8 measures:

  1. Make sure your anti-virus software is up-to-date

It is very important to ensure that your antivirus software is using the latest virus definition files. If you use the Windows system and have not installed anti-virus software, you can use the free version of Avast and AVG and antivirus software, these two anti-virus software are all familiar. Download all updates after installation, followed by the steps below.

  2. Save the attack page to your computer

If you choose to report a hacker, it is necessary to back up the attacked page. In addition, if you decide to write an article to inform others, you can get back after the backup as well as text examples. Save page I believe everyone will, the browser menu bar file-page Save as ... Save the page on your computer (it is not recommended to save on the C drive). When saving the page, save the Type option remember to select "page, all" and then click Save.

  3, download the latest version of WordPress

The current latest version is WordPress4.0. WordPress takes care of security and convenience, but must remember to update the latest version in time to eliminate potential hidden vulnerabilities.

  4. Clean up all affected folders and files on the server

With the latest version of WordPress, you can delete all unnecessary files on the server. Don't worry, your database has all of your data, including your blog posts, pages, categories, tags, and more. If unfortunately your database is also under attack, then I hope you always have a backup. Here are the folders and files that you should not delete:

Do not delete the original folder (such as., stats)

Do not delete ' wp-content ' folder (subject content, sometimes plugin content)

Do not delete. htaccess files (fixed link structure, permissions, passwords, etc.)

Do not delete the Favicon.ico file (custom icon to the left of the URL address)

Do not delete google...html files (Google Webmaster tools validation)

Do not delete the wp-config.php file

  5, after uploading the latest version of WordPress, you can safely delete the following files:

Delete/wp-admin/install.php files (no longer required)

Remove/readme.html (prevents users from seeing the WordPress version)

  6, participate in Baidu Webmaster platform, regularly detect web site security loopholes, found loopholes, timely repair

Finally to remind you novice webmaster, must be in the construction station, it is necessary to choose a relatively high security, easy to use relatively high construction station program, and then choose a high security, regular word-of-mouth operation of the host provider, and then start to build station is not too late, the site security is the first, loss of security, you pay all efforts, In the end it could be naught.

What to do if the website is attacked by CC

Now the network competition is more and more intense, in the equal competition at the same time also has some spurned competition way. Now the general grassroots webmaster also do Baidu optimization, I am also a member. Hair outside the chain ah, promotion Ah, finally did Baidu home. Well, to do Baidu home, thought cool, to flow, also not wasted so hard ah ... Hehe, but the sad things come, peer jealous competition, unexpectedly give you a CC attack, the direct CPU occupies 100%, the site is paralyzed, the most pit father is his three or four o'clock at night to attack you, and so you get up in the morning to find that the site can not open. To find a solution. However, the user experience is poor, the rankings may also fall. I just fell from sixth to 10th.

See the site CPU occupied 100%, I thought it was going on, from the start of the VPS, or the same. Website can't open Ah, nasty dead. Find VPS, ask me to download the security dog, download the security dog after a look, ah. CC attack AH. Then hang the security dog, thought can prevent, which thought also to prevent a while, immediately on the CPU and 100%. Then went to find a lot of VPS technology. Buy more VPS, know more about the technology. The pit daddy is to give you more, CC attack basically can't resist. I collapsed.

Later a technology told me that the process of death cycle will also occur this situation, but the program has been good, with dedecms, no modification how can be wrong. I do not want so much, directly the program files are deleted, leaving only the generated HTML file. Yes, CPU usage has dropped. Oh, is the procedural reason. Then I repeatedly installed several times the program, are new downloads, each time an analytic domain name in the past, immediately CPU occupied 100%, how is it not a procedural problem. This time again tangled.

Later, I looked at the log file. It's so big on the log file. The volume is small and the file is so large. Open a look. Exclusively of the same browsing record, estimated the next, about thousands of times per minute. VPS where to bear ah. Later I thought, the attack of the file deleted, will not be effective. Sure enough, the file was deleted after the CPU consumption fell, hehe happy ah. Finally solved. Resolved after looking at the log file, still attacking ah, log file size with the naked eye can be seen in the increase. But the CPU is down and the website can access it.

But if he changed the attack file My site will be paralyzed, no way I am now in a stalemate, he attacked any document I modify what files. If anyone can have other ways to teach me. Thank you! Here I'm going to complain about the despicable people who attack people's websites. Also, people who want to see my article can benefit, at least as much as I can solve it.

What is a cc attack how to prevent websites from being attacked by CC

The CC attack (Challenge Collapsar) is a DDoS (distributed denial of service) and is a common site attack method, the attacker through the proxy server or broiler to the victim host constantly send a large number of packets, causing the other server resources exhausted, until the crash.

The level of attack technology is low, and with tools and some IP proxies, a user at the beginning and intermediate levels of the computer can execute the attack. However, if you understand the principle of CC attacks, it is not difficult to implement some effective precautions against CC attacks.

There are usually several ways to prevent CC attacks, one is through the firewall, and some network companies also provide some firewall services, such as XX website defender and xx Bao, there is a way to write program prevention, yesterday, the site encountered CC attack, which also let me try to prevent the effectiveness of the CC attack method.

At first I want to use a certain site defender to prevent attacks, from the interface, it seems to prevent a large number of CC attacks, but log on the site found that traffic is still abnormal, attack or still, it seems that the site defender's effect did not reach.

In principle, basically all firewalls will detect the number of concurrent TCP/IP connections, and a certain number of frequencies will be considered connection-flood. However, if the number of IPs is large enough to make the number of connections to a single IP less, then firewalls may not be able to prevent CC attacks.

In fact, through the analysis of the site log, it is easy to tell which IP is the CC attack, because the CC attack is after all through the program to crawl the Web page, and the characteristics of ordinary visitors are still very large, such as ordinary visitors to a Web page, will be continuously crawl Web pages of HTML files, CSS files, JS files and pictures, and a series of related files, and CC attackers only crawl a URL address of the file, do not crawl other types of files, the user agent is also the majority of users and ordinary viewers, which can easily distinguish on the server which visitors are cc attacks, Since you can determine the attacker's IP, then the precautionary measures are very simple, only need to block these IP in batches, you can achieve the purpose of preventing CC attacks.

Finally, I spent half an hour to write a small program, after running automatically block hundreds of IP, the site is normal, thus proving that the firewall for the protection of the CC attack is not effective, the most effective method is in the server side through the program automatic shielding to prevent.

It seems that the threshold of CC attack is really low ah, make a hundreds of agent or broiler can attack others, its cost is very low, but the effect is obvious, if the attacker's traffic is huge, through the way of consuming bandwidth resources can be attacked. However, the CC attack also has a clear technical flaw, that is, the attacker's IP is not massive, usually hundreds of thousands of level, and is the real access to the Site page, which makes the site can be filtered through the process of easy access to these attackers IP, batch masking, then this cc attack will be prevented.

With the development of network information, more and more people do the website now. Some people do the site is to learn, some people do the site is for money and so on, regardless of why it is, the site is more and more. More and more people are more and more naturally doing bad things. When your website is formed, you may be attacked from time to time, serious to a certain extent, will cause the website can not open, even the server is paralyzed.

That causes the website to be attacked to cannot open the reason to have a few? How should we troubleshoot? Now the audience of the small series to everyone to popularize:

  First: DDoS attacks

The first step is to determine whether the site of the server is a DDoS attack, that we can not now clear whether there are people in the same industry to engage in abnormal competition, to hire people to the brother of the server DDoS attacks. There are many types of DDoS attacks, and the most basic Dos attack is to use a reasonable service request to consume too much service capital so that the server cannot dispose of the instructions of legitimate users. I called the IDC provider, who served as a hosting service, to get their skills checked for DDoS attacks. We'll look back and say no, but we found the brother. The bandwidth of the website runs very high.

  2. Website space

The second step is to see if there is a problem with the server's web space or bandwidth, but there is no problem with the results viewed by the service provider. We also know that the problem is not a server, because we can open the same server is another site. However, the bandwidth of the brother's website ran unusually high, despite the high number of visits these days, but this phenomenon is also very abnormal. To this end, the service provider has now a few back to the brother's website to increase the bandwidth, but the problem still exists. The clouds of doubt are on our minds.

  3. Website domain name

The third step is to see if it is a domain name issue. Query the next, the domain name resolution is normal, also did not expire, domain name no problem. However, when the use of the IDC supplier of 3-level domain name, the website can open the normal access. We are caught in the confusion, and finally know that we have a website domain name of the damage of the attack, but what is the attack, and now also cannot be analyzed. But this time to replace the domain name is not able to, brand advertising has been out, the promotion of the site is chosen by this website. This time to replace, once the walk of everything will be choke.

  4. Website program

The fourth step we look at the site of the program is not presented a problem, was caught in the gap to attack. I tried to fix the code, and I finally found out that the database is a bit out of the ordinary. After the database has been stopped, the website can actually be opened smoothly. We have a burst of joy, but the database can not be stopped, to stop the write operation of the database, the member registration and the suspension of the merchandise order. The resulting loss is also impossible to complement. Continue to troubleshoot, and finally think of a can, is not someone using the most vulnerable slot database attack, frequently in the purchase order and then cancel the order operation. caused the website traffic is too large, the website cannot open.

What to do if the website is hacked

  Your user site has been hacked for several reasons:

  1. There is a problem with your customer's website code, there is a security vulnerability caused .

If most of the users on your server's website are normal, only a small number of user sites are hacked, that

Is it possible that you have a small number of user sites hacked site code has a problem, there are security vulnerabilities made

The. There is no way to solve this problem and it is not your responsibility.

Analysis Description:

1). Everyone knows that "virtual hosting provider" for each of their own virtual host users

Are assigned the FSO file operation permissions that they have through your assigned legal permissions that can be

Any files that are changed and uploaded. If your users do not protect your

Assigned to their legal authority, so that hackers can take advantage of, then, hackers will be able to use

You provide your users with legal rights to destroy the site, but your users

It's not himself that caused this hacking, it's you, and you listen to you.

User's words, mistakenly think that their system has problems caused, but, in fact, the problem

Is the result of your users themselves.

For example, your users use a number of unsafe programs (such as the "Hole Network Forum"), which

Code design of the program itself is a loophole, it is easy to be exploited by hackers to upload web pages

Trojan, hackers can manipulate the Web Trojan, using the legal rights you assign to users

Files that damage your users ' data and Web pages, or even cause the site to completely

Not open. These techniques are the most common "customer's website code has a problem, exists

Security vulnerabilities. "

2). When your customer's website is hacked, you don't have to follow him anxious, first of all

will not affect the normal operation of your server and will not affect your

Other sites on the entire server are normal customers, because you only have to install the off-Star

The server of the virtual host management platform] will be protected by the security

The rights of each virtual host user opened with [off-star Virtual host management platform]

Limits are independent and strictly limited, and each virtual host user cannot

Use another virtual host user's files, even if the hacker invaded one of the dummy

Host, and there is no way to destroy other virtual hosts. So, you can be completely assured

Your own server is secure.

3). When your user site is hacked, you only have to tell your users truthfully that it is his own

There is a problem with your website code, you have no way to solve for him. Because it's not

You're not going to be able to help him redesign the code for security issues,

For you are not their programmers and are not obligated to do such a thing to make your customers self

Modify the Web page code to do the security settings.

4). If your customer has backed up the site yourself, you can suggest that he re-

Code, and then re-upload, you can restore access to the site.

--------------------------------------------------------------------------------------------------------------- --

  2. Is caused by intrusion of your server .

When all user sites on your server have been added the virus code, and this virus generation

"Can be found" in the original file on the server, indicating that your server is compromised

Caused by.

Cause: Your server was compromised, stating that the security settings on your server did not follow the [star

"Security Video Tutorial" is required to set up an external virtual host management platform.

The original files on your server have been rewritten by hackers, resulting in all of your user networks

Station was invaded.


We recommend that you re-install the system and that you need to follow the "on-Star virtual host management platform"

Full video tutorial "Requirements to set the security of your server to be reset in order to Beecher

The bottom of your server to resolve the security vulnerabilities, completely clear the backdoor left by the hacker.

  3. is caused by ARP virus in the room where your server is located .

When all user sites on your server have been added the virus code, and this virus generation

"cannot be found" in the original file on the server, indicating that your server is in the same room

caused by an ARP virus.

Transferred from: http://www.seoxuetang.com/fenxiang/10004568_pall.html

What to do if the website is attacked

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.