We all know that security problems have always existed on the Internet. The more common ones are DDOS attacks, domain name hijacking, Trojan control of hosts, web page tampering, network phishing, etc. Among these, domain name hijacking has the greatest impact and harm on websites. . Search engines are an important tool for our daily network information retrieval. You only need to enter keywords to retrieve the required information. These information are actually a snapshot of the website by the search engine, and the snapshot itself is actually safe. Therefore, we will find that the title and description of the website on the snapshot of some websites are actually different from the website itself. In this article, I will analyze and summarize some of the reasons for domain name hijacking and how to deal with it.
At present, there are many products that provide search engine services, such as Baidu, Google, Sogou, Youdao, etc. The technologies they apply are quite different. The core technologies are generally regarded as the company's technical secrets. We do not know, but there is a The data snapshot is stored on the search engine server. When the user enters a keyword, the search engine retrieves the snapshot server through the search function, and sorts and lists the results according to the time of inclusion or other indexes to provide users with information.
However, during use, if a website is implanted with a Trojan horse program, it will appear as if a website is searched through a search engine, and the website name and domain name in the search results are consistent with the actual one. When opening this website, the first 1 to 2 seconds, It is the resolution when the domain name of the website is opened, and there is no abnormality. However, after about 1 second, the website that appears is another website or an illegal website, and the IP address of the domain name resolution is completely correct without any abnormality.
Similar problems occur, which we often call "domain name hijacking". There are many reasons for this situation. As Internet applications become more and more deeply embedded in social life, the network environment becomes more complex and changeable. This phenomenon warns that webmasters must attach great importance to network security and continuously improve their ability to deal with new security threats.
2. Inject code
Injecting code and planting Trojan horse files are the methods commonly used by hackers. When injecting code, when the injected file is accessed by any browser, the injected code will start to work, using the system's FSO function to form a Trojan horse file. , the hacker uses this Trojan file to control the server, not just the folder where the Web is located. Of course, some hackers do not need to control the server, but just inject some black links into the Web file, and there will be no extra when opening the website. content, but the opening speed is many times slower than normal, because the entire website will not be fully opened until these black links take effect. If it is a black link, it only needs to be cleared, but the file is planted with Trojan horses or characters, difficult to find.
3. Main features
After repeated search for reasons, the main features of domain name hijacking were found. After analyzing the characters implanted by the hacker, it uses the "window.location.href'js statement, which will also cause the website management to fail to log in. After the administrator enters the user name and password in the management login window, they will generally pass the authentication. Some information of the user is passed to other files for use through the session, but the "window, location.href" statement makes the authentication process impossible, and the user's form cannot be submitted to the verification file normally. If the system uses the verification code, "window.location. The href' statement can make the verification code expire, and the entered verification code is also invalid, causing the website to fail to log in normally.
These features are mainly a few points.
(1) Strong concealment
The generated Trojan file name is very similar to the file name of the web system. If it is identified from the file name, it is impossible to judge, and these files are usually placed in many subfolders under the web folder, making the administrator unable to Search, the characters implanted in the file are also very hidden, only a few characters, generally can not be found.
(2) Strong technical
Make full use of the characteristics of MS Windows, store the file in a certain folder, and treat this file with special characters, which cannot be deleted, copied, or even seen by normal methods, but it is only detected that there is a Trojan horse in this folder. files, but cannot be viewed, (the system completely displays hidden files), and cannot be deleted or copied.
(3) Highly destructive
If a site is planted with Trojan horses or characters, the entire server is equivalent to being completely controlled by hackers, which can be destructive. However, the purpose of these hackers is not to destroy the system, but to use the web server to hijack the website they want to display. , so if some websites are hijacked, they will go to some illegal websites, resulting in bad consequences.
4. Coping methods
Through the analysis of the causes, it is mainly to obtain the read and write permissions for the web site files and folders of the web server. According to the main reasons and ways of the problem, the security settings of the server are used to improve the security of the website program. What can be prevented is to prevent the problem of domain name hijacking.
(1) Strengthen the anti-SQL injection function of the website
SQL injection is a method of using the characteristics of SQL statements to write content to the database to obtain permissions. When accessing the MS SQL Server database, do not use the sa default user with greater authority, you need to establish a dedicated user that only accesses the database of this system, and configure it as the minimum authority required by the system.
(2) Configure Web site folder and file operation permissions
In the Windows network operating system, use super administrator authority to configure permissions for files and folders of Web sites, most of which are set to read permissions, and write permissions should be used with caution. The possibility of being hijacked can be greatly reduced.
(3) Check the event manager and clean up suspicious files in the Web site
There is an event manager in the Windows network operating system. No matter how the hacker obtains the operation authority, the abnormality can be seen in the event manager. Through the abnormal event and date, you can find the change of the file on the website on the date. In some cases, it is necessary to check whether the file with executable code has been injected or changed, and clean up the newly added executable code file.