How to solve the problem of black hanging horse

1, simple hanging horse

Home is hung horse, login website, anti-virus software alarm, check, found index.asp home inspection, the bottom appears, cleaned up, the page is normal, this horse mainly to directly modify the home page file-based, easy to find and Clean up.

2, the back door linked to the web

Antivirus alerts appear on any page of the login site, view index.asp as before, and remove iframe statements. But found that the problem still exists, so check other files only to find all the files are all linked with the horse statement, even if the restoration of the home page, but when users visit other pages still pop-up virus tips. Use backup file coverage recovery, reinstall the operating system and other methods are experimental, the next day may be linked to the horse again, this time should be suspected belong to the back door of the page, so check all asp program files, the attacker will often use some double Extensions files stored in, for example, the picture directory, xxxx.jpg.asp file, open the code looks like <% execute request ("sb")%> This statement, obviously a sentence backdoor, from the file name Judge, this camouflage picture of the file up suffix, there should be suspicion of the existence of upload image upload vulnerability, it is recommended to disable or use the cloud lock to filter and check the page Trojan.

3, linked to the database

Visit the home page virus alarm, a comprehensive search, did not find the home page and other files have been tampered with, if you compare all the files md5, found no signs of any tampering with the file, that is, files or those files, why hang horse page? Consider checking the database form is linked to horse, the page Trojan did not hang in the file, but linked to the contents of the database. The principle is the home page When calling the event news, read out the contents of the form from the database to form a web page, so read the place is inserted into the hang statement, through the log analysis you can see a similar SQL injection vulnerability log:

http://www.aa.com/news.asp?id=8 '

http://www.aa.com/news.asp?id=8 and 1 = 1-

http://www.aa.com/news.asp?id=8 and 1 = 2--

There may be some probing statements initially. Finally found the horse's action:

http://www.aa.com/news.asp?id=8 'update news set ziduan =' 'where id = 8'

Judging from this news.asp there should be injection problems, so to determine the type of variable and keywords to join the filter, and then linked to the field in the database to be modified. Available cloud lock easily intercept these statements.

4, file transfer hanging horse

Should check the other pages that are called, the common conn.asp files that are included, may be inserted into the back door, so why change this one file so powerful? Because all the pages have called this file to connect to the database. The file may contain the database's ip port username and password. At this point should check the database, for example, the database log to find out if there is a record of the implementation of master..xp_cmdshell, an attacker may use the extension to perform system commands to modify the file, it is recommended to modify the database password, the database permissions down pubilc . Ipsec port 1433 will be used to shield only allow access to the machine. With cloud-locked firewall function to intercept, and can be scanned out of the linked files.

5, arp linked to the horse

Users reflect the visit to the Web site, the antivirus software prompts the virus, but the login server to visit their own http://127.0.0.1 or local ip, but did not find was linked to horse, but all users to access through the domain name, there will be prompted to pass Packet capture analysis on the server, check whether a large number of arp packets can be found, this arp packet is usually the mac address of the server to another ip, the use of arp linked to the horse, this situation need to switch mac and mac ip address binding, after the switch on the configuration.

6, domain name hijacked horse

Direct access to the server through the ip normal, the user is prompted to access the domain name virus, then ping their own domain name, if the ip and the real show is different, you need to quickly check whether the domain name resolution is modified, log in domain name management background , Change to normal, and change the admin password.

7, background program linked to horse

Update the background process of the page, usually use some familiar path, for example:

http://www.xxx.com/admin/

http://www.xxx.com/login/

http://www.xxx.com/manage/

Although this link to the background program is not open to the user, but often easy to guess, then the background of the user name and password can be used to brute force tool to exhaustive, in theory, the crack is only a matter of time, the attacker After logging in the background, you can easily modify the contents of the linked horse, often modify the background address path is a very strenuous work, because after modifying the path also need to consider adjusting other related programs, the path must be changed to the same, you can use the cloud Lock www.yunsuo.com.cn redirects completed.

Web pages are implanted into a malicious backdoor or dark chain, linked to horses, although it seems that the direct impact of the site visitors, but in fact the site will have a loss, for example, search engine rankings due to repeated poisoning, shut down reloading led to a rapid decline in position , And sometimes even directly be reminded of malicious code, the customer will slowly passage over time, so the need to use cloud lock as soon as possible to solve these problems.