Solution case of adding illegal snapshots when the website is invaded

2022 year 6 month 10 It is still far from the opening of the world cup 5 More than a month , Many websites and IIS Hijacked and recorded a large number of TFWC 2022 Qatar world cup 、 Sports and other illegal spinach content snapshot , You can also check the weight of your website in Baidu by yourself , Is it rising rapidly , Another one is to check the keyword ranking , If you find that it is all some sports , spinach ,QP And so on , That basically means that the website has been hacked and the code has been tampered with , We SINE Security companies have recently dealt with many customers of small and medium-sized enterprise websites , They are also Baidu snapshots of the world cup spinach related content , The title of many pages of the website 、 Descriptions have been tampered with , When visiting a website, you will not notice that the website has been attacked or hijacked , More subtle attacks like snapshot hijacking , Many webmasters are not easy to find , It needs professional safety technology to check out .

How to determine whether the website is hijacked by snapshots ？SINE The safety expert will give you a detailed introduction , First, you can open Baidu webmaster tools , See if the recent collection is abnormal , Like the sudden increase in the collection , Baidu's spider crawls a lot more , One more look site:www.***.com Own website , Look at the latest month's collection , Does it include a large number of World Cup sports , spinach 、QP Baidu snapshot of malicious content . Another feature of snapshot hijacking is , There will be no jump when you visit the website directly , Click to enter the website from Baidu , Will jump directly to the illegal website . We sinesafe Let's take a look at the actual customer cases , Like the following included content , Basically, the website snapshot is hijacked , It can also be said that the website was attacked by hackers .

Snapshot hijacking is simple , That is, hackers take advantage of code vulnerabilities in the website , To invade websites , And upload webshell Trojan files , Through the script Trojan horse , To tamper with IIS, And database configuration files , Implant malicious code that hijacks snapshots , This malicious code will judge according to the characteristics of the visiting user , When Baidu spider comes to visit the website , The World Cup 、 spinach 、QP And other illegal and harmful contents are displayed to Baidu spider , Let spiders grab these contents , And included in Baidu , When some users visit , It will jump to the world cup page promoted by hackers .

What should I do if the website snapshot is hijacked ？

To thoroughly solve the problem of website snapshot hijacking , Start with the site source code , To check the code for vulnerabilities , Fix the leak , And the detection and removal of the website Trojan back door , Including a series of security enhancements for website security . For this kind of hijacking , We SINE Security takes the real customer as the solution , Explain . The customer website uses Windows The server , System is 2012 System , Middleware is IIS 10.0 edition , The website code is aspx framework , Developed independently , The database architecture is sql, Because the weight of the customer website in Baidu is 5, The collection is basically second collection , Keyword rankings are also very high , After being tampered with by hackers , The day when the hijacking snapshot contains a large number of illegal contents , Just find us SINESAFE, We immediately carried out safety emergency response , The customer provides information about the server and the website , We have conducted a manual security audit on all the codes of the website , Check for vulnerabilities , And the existence of the Trojan horse back door , The website log is analyzed in detail , Include server logs , They were also checked , Through the attack time provided by the customer , We traced the entire hacker attack path .

First, we check the code manually , Trojan file found , Also called webshell back door , It can also be understood as aspx Script Damascus , The Trojan can modify the source code of the website , Delete , Upload and other operations , By the creation date of the file , We checked the relevant website access logs , The hacker is found here by uploading the file code , direct POST Uploaded the backdoor file , We SINE The security has conducted a manual security audit on the uploaded code , A file upload vulnerability was found in the code , Hackers can construct malicious parameters to directly bypass file format restrictions , Upload the .aspx The file of . We immediately fixed the code vulnerability , And deleted the Trojan horse back door . Check other code again , Hackers left many back doors in the website directory , In the attachment directory and CSS Catalog , All the background directories have been found , All recorded one by one , And forcibly delete . Trojans and vulnerabilities have been fixed , We can find that the snapshot of the customer's website continues to be hijacked , Click in or jump to the malicious website , We checked the server again , Find out IIS Hijacked , We SINE The security technology has carried on the security inspection to the server system , Find out , The server was authorized by hackers to increase the administrator account , In other words, the server was also hacked , Here is a brief explanation , because aspx High authority , You can add administrators directly to the server , Hackers can execute system commands , Normally , The maintenance personnel of the server should be responsible for aspx To limit the authority of , To give ordinary users the right to run , The server was invaded due to weak security awareness . Because hackers tampered with IIS, As a result, the snapshot continues to be included , Including jump , We are right. IIS Tested , It was found that malicious code was implanted , Lead to the whole IIS The websites in are hijacked by snapshots , Include a large number of illegal content . Artificially malicious IIS The code has been deleted , The problem can be solved thoroughly . Then we did artificial security reinforcement on the server , Port security deployment , And file permission deployment , Database security reinforcement and a series of operations , Prevent hackers from attacking again .

Know something about technology , You can also handle snapshot hijacking in the following way .

1. Analyze server logs , Website log , And whether there is any abnormality in the website collection , See if there are a lot of Baidu spiders crawling to some non-existent pages in the website access log .

2. Check whether the source code of the website is implanted into the Trojan back door , You can compare the previous files one by one , Especially check the homepage code and database configuration code of the website , also JS,css Whether there is hijacked malicious code in the code .

3. Through Baidu webmaster tools , Simulate Baidu spider crawling , Check whether the website captures the content , It is different from what you normally browse , To judge whether the website has been hijacked .

4. Delete malicious hijacking Spider code , Then fix and patch the website code vulnerabilities , If you don't know how to fix it, you can also find a professional website security company , You can also come to us SINE Security to repair and secure the site , Completely solve the problem of snapshot hijacking .

5. Secure the server , You can look at the processes and ports PID Whether it is abnormal , Check to see if there are any external connections except 80,443 Equal port IP, Check the login log of the server , See if there is any abnormal login IP.

6. Use the webmaster tool , Collect some snapshot addresses of spinach content , And set to 404 state , Submit to Baidu for processing , When Baidu spider crawls again , The snapshot of these violations will be deleted . You can also go to Baidu Webmaster Center to give feedback , Or submit it to Baidu snapshot update .