Case analysis a web site was hung black chain analysis process
we directly according to the keywords to search:
then we have to look at the simulation test results are accurate:
results show that our conjecture is valid, but since the website source code has not been modified, in the end is where the drill out of the black chain? Since black chain is according to the type of reptile, then
finally found the problem in the global.asax file, hidden inside a JS script, because the website program is developed in.NET contrast so before in win environment to do at the beginning, also found the global.asax file, but win with the following text editing software when open only to see a blank in fact, the real part of the code is hidden in the hundreds of lines.
obviously was linked to the black chain, because never done so to hang black chain live a variety of techniques to hang black chain is not very good, the first reaction is certainly the website file is malicious tampering, and immediately check the website source files, after a comparison there is no obvious abnormalities, but the black chain in the end where does it come from?
said in the news from the customer webmaster tools using tool.chinaz贵族宝贝 ‘website was hacked to detect anomaly detection "website, according to the clues were detected as follows in the webmaster tools:
.NET program to run if the default web site root directory.
curl xxx贵族宝贝 results are as follows:
That we’ll copy baiduspider:
curl -A " Baiduspider" xxx贵族宝贝, the results are as follows:
, just a clever use of the ordinary people are not careful and open the document to display graphical interface below the first part blank weakness, this code is as follows:
again to view the test results given by the webmaster tools, visit the following simulation results found that the normal page is normal, and abnormal results presented above is simulated through the search engine, look abnormal results, written directly to the Baiduspider, here about the meaning becomes clear: when love Shanghai crawler over. Give the black chain, but will not affect the normal user access, in order to achieve the purpose of concealment.
grep -ri Baiduspider web_root_master