Analysis and summary of the causes of domain name hijacking and its solutions

Absrtact: We all know that on the Internet security problems are always there, more common there are DDoS attacks, domain name hijacking, Trojan control host, web tampering, phishing, etc., which the domain name hijacking on the site caused by the impact and harm is the largest.

We all know that on the Internet security problems are always there, the more common DDoS attacks, domain name hijacking, Trojan control host, web tampering, phishing, and so on, which the domain name hijacking on the site caused by the impact and harm is the largest. Search engine is our daily network information retrieval of an important tool, we only need to input keywords can retrieve the information needed, this information is actually a search engine for a snapshot of the site, and the snapshot itself is actually a security problem, So we will find that some of the site's snapshots above the site title and description is actually different from the site itself. This article I will analyze and summarize some of the reasons for the domain name hijacking and how to deal with.

1, Domain name hijacking

There are a lot of products available in search engine services, commonly used such as Baidu, Google, Sogou, Youdao, and so on, they apply a large number of technical differences, the core technology generally as the company's technical secrets, we are not known, but there is a data snapshot, stored in the search engine server, when users lose the keyword, Search engines retrieve them on the snapshot server by search, and the results are sorted by the time or other indexes they are indexed to provide information to the user.

But in the course of use, if the website is implanted in Trojan horse program, performance for search through a search engine to a site, search results in the site name, domain names are in line with the actual, open this site, the first 1 ~ 2 seconds, is to open the site domain name when the resolution, no exception, but another 1 seconds or so, Open the Web site is other sites or illegal sites, and domain name resolution of the IP address is not any exception is completely correct.

There are similar problems, we often call "domain name hijacking", there are many reasons for this situation, as the Internet applications increasingly deep social life, network environment is increasingly complex and changeable. This phenomenon warns webmasters to attach great importance to network security and constantly improve their ability to respond to new security threats.

2, Injection code

Injected code with the Sik-man Trojan file, is commonly used by hackers, injection code, when the injected files are accessed by any browser, this injected code began to work, the use of the system's FSO function, the formation of a Trojan file, hackers again use this Trojan file to control the server, Not just the folder where the Web is controlled, of course, some hackers do not need to control the server, but in the Web file to inject some black links, open the site will not appear any superfluous content, but open the speed than normal slower many times, because to wait for these black links are effective after the entire site opened completely, If it is a black link only need to clear up on it, but the file was planted on a Trojan horse or characters, it is difficult to find.

3. Main Features

After repeatedly searching the reason, discovered the domain name hijacking main characteristic. After the hacker implanted character analysis, it used the "window.location." href ' JS statement, will also cause Web site management can not be logged in, managers in the Management Login window input user name, password, generally through authentication will be the user's some information through the session passed to other documents to use, but "window, Location.href ' Statements so that the authentication link can not be implemented, the user's form can not be submitted to the normal verification file, if the system uses the authentication code, "WINDOW.LOCATION.HREF" statement can make the verification code expired, the input of the verification code is also invalid, resulting in the Web site can not log on normally.

These characteristics mainly have the following characteristics:

(1) Strong concealment

The name of the Trojan file generated, and the Web system's file name is very similar, if from the filename to identify, simply can not be judged, and these files, usually put into the Web folder in many levels of subfolders, so that the administrator can not find, file-sik characters are very hidden, only a few characters, generally can not be found.

(2) Strong technical

Take full advantage of the features of MS windows, store the file in a folder, and the file for special character processing, the normal way can not be deleted, can not be copied, and some can not even see, just detected in this folder there is a Trojan file, but can not see, (the system completely show hidden files), not to delete, Copy。

(3) Strong destructive

If a site is planted on a Trojan horse or character, the entire server is the equivalent of being completely controlled by hackers, can think of its destructive, but the purpose of these hackers is not to destroy the system, but the use of Web servers, hijacked to the site they want to display, so some sites if hijacked, will be transferred to some illegal websites, causing undesirable consequences.

4. Coping Methods

Through the analysis of the causes, it is mainly to the Web site Server Web sites files and folders to obtain read and write permissions, in response to the main causes of the problem, the way, the use of server security settings and improve the security of the website program, is to prevent, can eliminate the problem of domain name hijacking.

(1) Strengthen the anti-SQL injection function of the website

SQL injection is a method that uses the characteristics of SQL statements to write content to a database to gain access to permissions. For access to the MS SQL Server database, do not use a more privileged SA default user, establish a dedicated user that accesses only the system database, and configure it to be the minimum permissions required for the system.

(2) Configure Web site folders and file operation permissions

Windows network operating system, the use of Super Administrator rights, the Web site files and folders to configure permissions, most of the set to read permissions, cautious use of write permissions, if you can not get Super administrator rights, so the trojan can not root, the site domain name hijacked may be reduced a lot.

(3) Check the event manager to clean up suspicious files in Web sites

There are event managers in the Windows network operating system, regardless of how the hacker obtains the operation permissions, the event Manager can see the exception, through the exception of events and dates, in the Web site to find the changes in the file in that date, A file that can execute code needs to specifically see if it's being injected with code or changes, and clean up the new executable code file.

Statement: This article by Shun E net http://www.shun-e.com original submission, respect for the achievements of others, reproduced please specify the source!