Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What to do when a website is attacked? how to find the source of website vulnerabilities?

2025-01-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Many corporate websites are attacked, causing websites to open and jump to other websites, especially some illegal websites, and even some websites can not be opened, customers can not access the home page, causing great economic losses to customers, many customers find our SINE security company to seek solutions to prevent websites from being attacked, in view of this situation, our security department technology To popularize the website after being attacked how to find the source of attack and to detect the loopholes in the site to prevent the site from being attacked again.

After the website is hacked and attacked, the first thing we need to check is to package and compress the visit log of the website, save it completely, and record it according to the time of the problem reflected by the customer, the characteristics of the attack, and so on. Then analyze the website log one by one, and the visit log of the website records all users' visits to the site, as well as the error tips that appear on those pages. Can help us to find the source of attack, the site of those vulnerabilities can also be found, and the site's vulnerabilities can be fixed.

Let's take the website of an enterprise customer some time ago as an example: take a look at this log record first:

2019-06-03 00:01:18 W3SVC6837 202.85.214.117 GET / Review.aspx class=1&byid=23571

80-101.89.239.230 Mozilla/5.0+ (Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NE

Tunable CLRstocks 2.0.50727 investors. Net CLRMs 3.5.30729. Net CLRMs 3.0.30729. Media Centerpieces PC6.

Like+Gecko 20000) + NET4.0C

Through the above website access log, we can see that the user's visit to IP, as well as the time of visiting the website, using the windows system, and the browser version used, the status of visiting the website will be written very clearly. So after the website is attacked, how to check the log to trace the attack?

First of all, we have to communicate with customers to determine the specific time period in which the website was attacked, narrow the scope of the log through time, check the website log one by one, and also check the Trojan file name of the website, search the log, find the file name, and then trace the IP of the attacker, and trace the source of the attack and the loopholes of the website through the above clues. The log opening tool uses notepad, and some websites use linux server to view the log using some linux commands, as follows

Figure:

A customer website was uploaded a webshell Trojan file, the attacker tampered with the website by visiting the script file, and the title description of the home page was tampered with the content of the cai ticket, jumped to other websites from Baidu click on the website, the customer himself did Baidu promotion, suffered heavy losses, found our SINE security, and we extracted the visit log of the website according to the attack characteristics of the customer. And trace the attack source of the website and the loopholes existing in the website. We checked the IP visit records of all users on that day through time. First of all, we manually checked the webshell file under the root directory of the website. Through the demo.php, we looked up the log and saw that an IP was constantly visiting the file. We extracted and analyzed all the access records of the IP, and found that the attacker visited the website upload page and uploaded the back door of the website Trojan through the upload function.

Through the IP traced to the above logs and the visit records of the website, we have found the loopholes in the website. The upload function of the website does not safely judge and filter the format of the uploaded files, resulting in the ability to upload aspx, php and other execution scripts, and the upload directory of the website does not set its security to cancel the execution rights of the script. In view of the above situation, our SINE security fixes the loopholes of our customers' websites, restricts the upload of files in the format of pictures, securely deploys the upload directory of the website, and a series of website security reinforcements. After the website is attacked, first of all, do not panic, we should analyze the log of the website as soon as possible to find the source of the attack and the loopholes in the website. If you do not know much about the website, you can also find a professional website security company to deal with, professional things to do professional, whether it is the log of the website, or the source code of the website, we should make use of it. Thoroughly find the source of the attack on the site.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report