Shulou(Shulou.com)06/01 Report--

At present, web hijacking is a favorite way of web page drainage in black hat SEO or underground industry, which is often realized through the websites of government and educational institutions (with high weight), modifying the source code of the website, releasing parasites, setting up secondary directory reverse proxy, and so on. Web hijacking can be divided into server hijacking, client hijacking, Baidu snapshot hijacking, Baidu search hijacking and so on. The form of hijacking can be hijacked jump or hijacked web page content, which is widely used in private service, × × and other profiteering industries.

In iis7 website hijacking detection, these problems can be detected more clearly, so as to help us know more clearly what problems to solve.

Server hijacking

Server hijacking is also known as global hijacking, the technique is to modify the dynamic language text of the website, determine the access source to control the returned content, and always achieve the purpose of website hijacking.

Asp/aspx/php hijacking

Global.asa, Global.asax, conn.asp, conn.php and other files are special in that each time a dynamic script is executed, the script is loaded first and then the target script is executed. So as long as you write the code to judge the user's system information in Global.asa (access source, etc.), if it is a spider visit, return the keyword page (the website you want to promote), and if it is a user visit, return to the normal page.

Client hijacking

There are also many methods of client hijacking, but there are mainly two kinds: js hijacking and Header hijacking.

Js hijacking

The purpose of js hijacking is to control website jump, hide page content, window hijacking and so on by implanting malicious js code into the target web page.

Js implantation technique: it can be written directly to the source code through the * * server, or in the database, because some pages will present the database content.

Js hijacking case

Effect: click on the page through the search engine (execute a section of js) to jump to the page; enter the URL directly to visit the page and jump to page 404.

Code:

Today=new Date ()

Today=today.getYear () +-"+ (today.getMonth () + 1) +"-"+ today.getDate ()

Var regexp=/. (sogou | so | haosou | baidu | google | youdao | yahoo | bing | gougou | 118114 | vnet | ioage | sm | sp) (. [a-z0-9 -] +) {1c2}\ / / ig

Var where = document.referer

If (regexp.test (where)) {

[xss_clean] ('')

}

Else

{

_ window.location.href= ".. /.. / 404.htm"

}

Analysis: through the referer to determine the source, if the referer is empty is to jump to the 404 page, if the search engine from the referer will also be displayed, and then write code to control the jump. If you only control the implementation to display different content, you can modify the php and asp code; if you need to hijack the search engine search box, you can write JS code to do the browser local jump. Of course, js functions can be expanded indefinitely, for example, it can control an ip to access normally for the first time in a day, the rest of the access can be redirected and so on.

Header hijacking

Write the following code in the source code:

one

It takes advantage of Meta Refresh Tag (automatic steering) to direct traffic away.

Comparison of techniques

The difference between client hijacking and server

Client hijacking: each visit to the web page gets the same web code from the server, but controls the effect of the web code rendered in the browser (such as whether to jump, etc.).

Server hijacking: changes the web code obtained from the server every time you visit the web page.

Client hijacking and server judgment method

The judgment method of client hijacking: just look at the front-end code of the web page rendered by the browser to see if the improper js or other sensitive content is referenced.

The judgment method of server hijacking: you can observe whether the source code is different by observing the back-end code of the website, or by changing ip, packet header and other ways.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.