Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall
1. Simple Hanging Horse
Home is hanged horse, login site, anti-virus software alarm, check, found home index.asp check, the bottom appears, clean off, the page that is normal, this hanging horse mainly to directly modify the first page file, easy to find and clean.
2, the back door hanging horse
Log on to any page of the site antivirus alarm, according to the previous method to view index.asp, and removed the IFRAME statement. But found that the problem still exists, so look at other documents to find that all the files plus the horse statement, even if the recovery of the home page, but users visit other pages will still pop out virus prompts. Overwrite recovery with backup file, reload operation system and so on, after the experiment, the next day may be hung horse situation, at this time should be suspected to belong to the back door caused, then check all ASP program files, attackers will often use a number of double extension files stored in, such as the picture directory, xxxx.jpg.asp file, open look code similar to <%execute request ("SB")%> Such a statement, is clearly a word back door, from the file name to judge, this camouflage image of the suffix up the file, should be suspected to be submitted picture features upload loopholes, It is recommended to deactivate or use cloud Lock to filter and check the Web Trojan.
3, Database Hanging Horse
Visit Home virus Alarm, search the whole, did not find the home page and other documents have been tampered with, if the comparison of all the documents MD5, found no signs of tampering with documents, that is, files or those files, why will there be hanging horse page? You can consider checking the database if the form is hanging horse, the Web Trojan doesn't hang in the file , but hangs in the database content. The principle is the first call activity news, from the database read out form content, form a Web page, so read the place was inserted in the horse statement, through the log analysis can see similar SQL injection vulnerability log:
Http://www.aa.com/news.asp?id=8 '
Http://www.aa.com/news.asp?id=8 and 1=1-
Http://www.aa.com/news.asp?id=8 and 1=2--
There may initially be some probing statements. Finally found the action of hanging horses:
Http://www.aa.com/news.asp?id=8 ' Update news set ziduan= ' where Id=8 '
From this judgment should be news.asp exist injection problem, so add to the variable type judgment and keyword filtering work, and then the database of the horse-hanging field to modify. You can easily intercept these statements with cloud locks.
4, File call hanging Horse
Should see other pages that are called, common conn.asp, etc. included files, may be inserted back door, why modify this file can be so powerful? Because all pages call this file to connect to the database. The file may contain the IP port username and password for the database. The database should be checked at this time, such as a database log looking for a similar execution master. xp_cmdshell Records, an attacker could use the extended function to execute system commands to modify the file, recommend to modify the database password, and reduce the database permissions to PUBILC. Use IPSec for port 1433 to mask, allowing only native access. The firewall function of cloud Lock is used to intercept, and can scan out the file that hangs horse.
5, ARP hanging horse
Users reflect access to the site, antivirus software prompts the virus, but the login server itself to visit the http://127.0.0.1 or local IP, but did not find that the horse, but all users through the domain name to visit, there will be hints, can be carried out on the server to carry out the analysis of the package, Check if you can find a large number of ARP packets, this ARP packet is usually to the server's MAC address to another IP, using the ARP protocol for hanging horses, this case of flowers need to be on the switch Mac and IP address binding, after the configuration on the switch.
6, Domain name hijacking horse
Directly in the server through IP access is normal, the user through the domain name is prompted by the virus, at this time ping their own site domain name, if the display of IP and real different, need to quickly see the domain name resolution is modified, login domain name management background, modified to normal, and modify the management password.
7, backstage procedure hangs the horse
Updating the background of a Web page typically uses some familiar paths, such as:
http://www.xxx.com/admin/
http://www.xxx.com/login/
http://www.xxx.com/manage/
Although the link to this background program is not made public to the user, but often easy to guess, then this case, the background of the user name password can use brute force to crack the tool to be exhaustive, theoretically cracked is only a matter of time, the attacker login backstage, it can be very convenient directly modify the contents of the horse, Often modify the background address path is a very difficult job, because modify the path will also need to consider adjusting other related programs, the path will be changed to the same, you can use the Cloud lock www.yunsuo.com.cn function to complete.
Web pages are implanted with malicious backdoor or dark chain, hanging horse, although it appears that the direct impact of the site visitors, but in fact, the site will also generate losses, such as the ranking of search engines because of repeated poisoning, shutdown caused a rapid drop in the position, and even sometimes directly be reminded of malicious code, customers will slowly pass over time, So we need to use cloud lock to solve these problems as early as possible.