Shulou(Shulou.com)05/31 Report--

This article introduces what is the solution to the hijacking of snapshots by hacking and tampering code in website development. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

The customer website uses the windows2012 system, the website developed by thinkphp based on php+mysql architecture, and uses IIS as the running environment of the website, such as website hacking, server attack, code tampering, website hijacking and other attacks. We have been dealing with SINE security for more than a decade. The first reaction is that the client's server has also been hacked, and may be added to the administrator's account, or it may be implanted into the backdoor, resulting in the website being attacked all the time. We understand the general problem, and then we need to log in to the server for detailed security testing, including website code security detection and website vulnerability detection, website Trojan back door clearance and a series of related security services.

Logging in to the server, we SINE security technology found that the server was implanted with the Trojan backdoor, written in the system file, and the hook was associated with the startup service. No matter how the server restarted, the Trojan backdoor file implanted by the attacker was executed. We immediately cleared the backdoor, carried out a security policy on the server port, restricted the port access inside and outside the station, and only opened 80%. IP whitelist security restrictions are imposed on remote ports. Then the most important security issue is that the customer's website is still jumping all the time. If you click in from Baidu, you will continue to jump, including the same attack symptoms on the app side. We checked the home page code and found that the code has been tampered with. The screenshot is as follows.

Search the website in Baidu, the snapshot of the website and be reminded by Baidu URL Security Center that the site may be attacked by hackers, and some pages have been illegally tampered with! The Baidu promotion of the customer's website has also led to a decline in traffic and a great loss. We deleted the tampered content of the home code and resumed normal website access, but the problem is not as simple as we imagined. After deleting the code, the jump problem remains the same and has not been solved. According to our SINE security experience for many years, IIS must have been hijacked. This means that the configuration file of IIS may have been tampered with by an attacker. Check the IIS configuration file of the server to check whether the handler mapping function has been implanted into a malicious DLL file. I looked carefully and found no problem. I continued to track the security analysis, also checked the web.config, and did not find the URL pseudo-static rules. It seems that the attacker still has some technical means, so it doesn't matter. Since the problem is determined in IIS, it must be written in that configuration file. Then we checked the function of the module, found the problem, and was implanted with malicious DLL files, which led to the module being applied to IIS8.0, finding the root cause of the problem, and it was easier to deal with it. Then the module was cleared, and the iisreset command restarted the IIS environment, and the problem of the website being invaded and redirected was gone.

Next, we SINE security began to reinforce the security of the customer's website, carefully examined the vulnerabilities of the website, as well as the back door of the Trojan horse, and conducted a detailed manual security audit on each file code of thinkphp, and found that there are remote code execution vulnerabilities in thinkphp, resulting in attackers directly executing vulnerabilities to generate website Trojan backdoor files also known as webshell. In the public directory found a sentence Trojan back door, also known as PHP pony, we delete it, but also to repair the loopholes of the customer website, the customer website can be secure.

Some customers think that deleting the home page jump code can solve the problem, but after a few days the site was attacked again, the root cause of the problem lies in the site loopholes have not been repaired, and the site has webshell Trojan backdoor files, only really start from the root in order to prevent the site from being attacked.

On the website development was hacked and tampered with the code hijacked snapshot of the solution is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.