Webmaster Anti-Black Tutorial: How to deal with search engine hijacking attacks

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Many websites have been hijacked by the search engine, which is a very common hacker attack way at present. Webmaster in the background is not retrieved, but in search engine results can be seen. Point to open these results information, but jump to gambling, false ads, Taobao search page and other sites. The consequences of this situation are serious:

User churn: Your site has done a lot of SEO optimization or bidding rankings, users can no longer find you through the search engine, this is a sad thing.

Site is blocked: If your site is hijacked to some illegal sites caused by the site is marked as illegal, gambling or malicious code, may be directly to various browsers and search engines marked as "malicious Web site" to intercept directly. The most painful thing in the world is this, I am a good person, special, but I was overcast ...

Lower credibility: Painstakingly Web site for many years, establish a reputation is not easy. Once hacked, the day was hijacked. From then on users to open your site through search engines is not pornography is gambling. Normal business has nothing, also don't talk about what credibility and word-of-mouth.

When stationmaster encounter search engine hijack how to solve? Don't panic, here I first provide two kinds of solutions: Please read this article in detail, or directly contact qq:800034239, find beauty security experts one-on-one counseling.

A real search hijacking case

The night before yesterday, a webmaster found me, said the site search results page was hijacked. Is the netizen thinks is the gambling website, attracts each road to ban. Today I work, I help this user to clean the site, but also invited him to join the guardian of the site protection system. The following is the whole process of troubleshooting, for you webmaster reference.

Scene reappearance: User in Baidu input: site: Website domain name. In the search results page, you can see a lot of search results, but immediately after the click to jump to a gaming site. (pictured below)

More detailed query results as shown below:

The first step: judging the way of hijacking

This step mainly determines whether the current hijacking is implemented through JavaScript code or scripting code such as php/asp.

Open fiddler, first press F11 next HTTP request breakpoint, and then click Baidu Results page, to Fiddler to see the request. Click the green button on the right.

Each click will pass a request. From the results to see this search engine hijacking only 3 steps, at this time we can draw a conclusion: this case of the site hijacking is through the PHP program code to achieve hijacking, hijacking process as shown in the following figure

From Baidu Link will jump to the user site itself, at this time did not load any JS and CSS and other resources directly and jump to the gaming site.

How does this move from the user site to the gaming site? The principle is very simple, please look at the following figure:

The HTTP request code for this jump is 302, redirected to the gaming site via a location. Because the site uses a PHP program, in PHP through the header () function can achieve page redirection.

Step two: Find suspicious code

Now that you know the principle of hijacking and the target gaming site, it is easier to detect malicious code. The user's server is windows2003, and by remote connection, you can easily find the file location of any text with the FINDSTR command under Windows System. In this case we just need to find out which files have the 86896 keyword in it. The command line constructs query commands as follows:

FINDSTR/S/I "86896" d:\web\xxx.org\*.php

The keyword is followed by the root directory of the Web site, which means traversing all the PHP files in the root directory of the site, and finding the files that contain "86896" characters. To execute this command we can get the following result output:

Through the results can be clearly seen, the hacker invaded the site and modified the Discuz forum \source\class\class_core.php This core file, in this file added to implement the hijacked location jump malicious code.

The hacker implanted malicious code is relatively "small white", without any encryption and other hidden means, directly through the keyword to find out. Complete malicious code as shown below:

Step Three: Delete code

The above malicious code is the function of all user and Referer contains search engine information site access request content all hijacked as a gambling site, to help users delete this section of PHP code, the site immediately back to normal.

Summary

Through this case analysis can be seen, this search engine traffic hijacking attack technical content is not so unfathomable, through two steps: First of all, to judge the hijacking mode, if it is JS code hijacking, find the malicious JS code to delete the line, if it is a script hijacking, please refer to the way described in this article; The second is to use FINDSTR (Windows) command or grep (Linux) command to the server to find the malicious code on the file, delete malicious code. Hope that through the introduction of this article, in the majority of webmaster should be able to respond to such hacker attacks help

In addition, the tool used in the analysis: Fiddler (Www.telerik.com/fiddler), many domestic download stations can also be down to this tool.