What should I do if the website is attacked? As a webmaster, it is always inevitable that the website is attacked. Especially for some personal or small business websites, because they are not maintained by professional programmers, they cannot be opened every three days, and they are completely overwhelmed. However, in the face of website attacks, it is not helpless to sit and wait for death. The website is attacked, which just means that there are security holes in the website. As long as the deficiencies are checked and prevented, the normal operation of the website can be maintained. The reason why websites have loopholes is that new loopholes are constantly being discovered in computer systems or website programs, and non-professional programmers are negligent in preventing them, which brings opportunities for some criminals to take advantage of. For this reason, website operation and maintenance is not a simple matter, which requires programmers' professional skills, management habits, and sense of responsibility.
When we find that the cloud server has been attacked, don’t panic too much, first check whether the website server has been hacked, find out the black link that exists on the website, and then do a good job in the security defense of the website. The specific operations are:
1) Disconnect all network connections. The reason why the server is attacked is because it is connected to the network, so after confirming that the system has been attacked, it is necessary to disconnect the network connection, that is, disconnect the attack.
2) Turn on the IP ban PING to prevent the server from being scanned. Close unnecessary service ports and open the firewall of the website.
3) Backup system data. When backing up system data, you must pay attention to whether the backed up data contains attack sources, and if so, delete it in time.
4) Restore network connection. After everything is normal, connect the system to the network and restore service.
1. Common forms of website attacks:
(1) The website page is linked to a horse: When we open a website page, we will be prompted by the browser or computer security management software that the website is risky and that the website is linked to a horse, etc., because the webpage and the root directory file are planted js is inserted, when the webpage is opened, the js command is triggered, and the script or php file containing the Trojan horse is automatically executed, thereby stealing the user's private data. The attacked websites are often websites involving virtual currency or transactions.
(2) There are a large number of black links in the web pages of the website: the web pages of the website are generally viewed by users as normal, but in the source code of the website, often at the bottom, there are a large number of anchor text links, and these links are often Hidden, font size 0 or extreme cheap position. The purpose of the attack is that some hackers illegally implant links to increase the weight and traffic of some low-weight websites to gain benefits, and the attacked websites are often punished by downgrading their authority. The attacked websites are often websites with certain search engine weight and traffic.
(3) There are a large number of implanted web pages in the root directory of the website: If the website is not maintained in time, you will find that the website collection suddenly increases, and the collected content is not the content of your own website, most of which are some illegal advertising pages, such as gambling, Pornography, game private server cheats, etc., when we check the server website data, we will find a large number of embedded static pages. A wide range of websites have been attacked, especially some websites with high traffic are favored by hackers.
(4) The website page opens and automatically jumps to other website pages: This form is often called an illegal bridge page. The forced redirected js implanted in the webpage, or the server is invaded, and a 301 redirection jump is made in IIS The purpose of transfer is that hackers can benefit from some illegal advertising or website weight transfer. The targets of attack are often websites with authority and traffic.
(5) The website database is implanted with new content. The website data is implanted with some newly added content. These content forms and other data on the website seem to be normal, but if you look at the time and date, you will find that the content is often concentrated, not the content added by the editors. Such websites are often websites that can handle certificates, such as professional qualification certificates and graduation certificates. Hackers planted false professional information on the regular official website for some illegal customers, and obtained high profits from it. The websites that are attacked are often official websites of some universities, websites of education departments, or websites of some qualifications.
(6) If the website is attacked and cannot be opened, it will open extremely slowly: the webpage of the website often cannot be opened, or the server cannot be connected remotely. This situation is often due to fierce competition among enterprises, and illegal competitors hire network hackers to maliciously attack their own website programs And the server, causing the website or server to fail to operate normally, such as a large number of DDoS attacks, CC attacks, direct destruction or deletion of website data. Some hackers have psychological distortions and show off their abilities to carry out malicious attacks. The attacked websites are often corporate websites or websites with a low maintenance level and a large number of security holes.
(7) Website and server passwords have been tampered with: Sometimes it is found that the website and server passwords are incorrect and have been tampered with. It is because hackers brute force cracked the vulnerable websites and servers and tampered with the passwords. Its purpose is often to show off the hacker's technical ability and carry out malicious and illegal hacker's technical operations. The attacked website even affects all websites on the server.
(8) The website database is lost or damaged: Sometimes you find that your website can be opened normally, but you can no longer continue to update programs and add new content. This situation is often caused by some retired programmers or hackers who lack professional ethics to maliciously attack the website. The attacked websites are various websites.
(9) Website domain name DNS hijacking: open your own website, but the content is not your own website content, check that the server and website programs are normal, in this case, when we ping the website ip, it is no longer our own server ip, this situation often exists Domain name DNS hijacking. Its purpose is to maliciously attack to show off or advertise benefits. The attacked websites are all kinds of websites.
(10) The website server runs slowly and is implanted with viruses such as worms: Sometimes the webmaster will find that the website is running updates or the operation of the server is abnormally slow. When we check the process management of the server, we will find that there are processes running that occupy high CPU and high memory . This is to check and kill Trojan horses, and often finds viruses such as worms. Its purpose is to occupy website resources, or the server itself is attacked and invaded, as a platform for "bots" to attack other people. The attacked websites are often servers with high performance and high bandwidth.
2. How to operate and maintain the website server:
(1) Regular backup of website data: Regular backup of website data can be used to restore the attacked website. Even if the website is attacked or some website information is deleted by mistake, it can be restored at any time. For this website operation and maintenance, website backup is the last word.
(2) Website program system update: The website program and server system are regularly updated with versions and patches, which can eliminate some existing security loopholes and prevent hackers from taking advantage of them.
(3) Regularly check and kill website viruses: Regularly check and kill website viruses can prevent hackers from further hacking or stealing website data, and can also delete intruded website backdoor vulnerability files in time.
(4) Permission settings for website files: reasonably set permissions for website server files. For example, some important files that execute programs should cancel write or execute permissions, which can prevent hackers from tampering with website data.
(5) The website domain name enables https data security transmission protocol and cdn acceleration, enables https and cnd, can run the website faster and more safely, can hide the real ip of the website, and prevent DDoS attacks, CC attacks, and domain name hijacking to a certain extent and other security risks. How do websites defend against DDos attacks and CC attacks?
(6) High-defense servers can be used: High-defense servers have the characteristics of high performance, high bandwidth, and high defense. In terms of security and operation, they have a certain basic support for maintenance, which brings a lot of convenience to later maintenance. You can use YI Anti-DDoS CDN , an anti-D center with 1Tbps suppression capability, and its own DDoS/CC cleaning algorithm, which can effectively help websites defend against SYN Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Proxy Flood, Common flood attacks such as CC. This completely solves the embarrassment of insufficient budget for small and medium-sized websites in the face of DDoS attacks, and also provides guarantee for the stable operation of all protected websites. Customers should consider it according to their own economic conditions.
(7) Regularly update management passwords: Website passwords can be recorded by resigned programmers or hacked and obtained by violent cracking. Regularly updating website background passwords and remote server login passwords can effectively prevent data loss.
(8) Regularly check the website log: The records of website operation data are recorded in the website log. Opening and regularly checking the website log can clearly understand the track of website operation, which is one of the important ways of website maintenance.
The above are the common attack forms and common maintenance methods of the website, I hope it can bring some help to the webmaster!
Cloud server attacks cannot be opened, the server is attacked and unavailable, the network is disconnected or the IP is blocked, which affects business operations,
Contact us, quick solution within 1 hour! 24 hours a day service, so you have no worries!