The server is hijacked, so to solve it

　　The following details the case of information on the web server hijacked, hoping to help you solve similar problems. We asked thousands exhorted million, we have to learn to conduct a security check at the time usually not a problem, and early prevention.
　　Use iis7 website monitoring, detection applications can hijack when the problem has not yet happened, put it strangled in the cradle, then there is a problem, we must learn to resolve.
　　Principle
　　server hijacking hijacking, also known as the back-end, which is a dynamic language website by modifying the file, such as global.asax, global.asa, conn.asp, conn.php this file. These files are dynamically loaded script will be loaded each time the configuration file, when loaded conn.php such as access x.php. In this case, only need to modify these global dynamic scripting files (such as global.asax), will load the global.asax file to access all aspx files, you can achieve global hijack effect.
　　Performance and testing
　　because this file is executed on the server, so unlike the front-end can be analyzed as malicious hijacking JS script loaded. It needs to be analyzed on the server. General testing is to detect global script file, analyze whether they are malicious modification. Such documents generally do not often modified, it can be used to detect the integrity of the files. HASH value which generates MD5 or well after the initial configuration, and periodically compare its MD5 value is changed. If the change analysis and detect changes in content is carried out.
　　Case
　　found that there are more like gambling link on a government website. But its source packet capture and analysis, found no suspicious JS script. So certainly it does hijack the server side.
　　So its remote connection server, aspx develop their sites to find its global add aspx file global.asax. Its source code analysis found that there has been modified to increase the reptiles determine the conditions, if access to the reptiles, then jump directly to the appropriate gaming site.
　　Server for hijacking, find the corresponding insertion code. Direct delete, or use the backup files were overwritten. But this does not really solve the problem, global.asax this file is modified under normal circumstances, hackers have invaded basically explained to the appropriate server. It is necessary to do a comprehensive emergency response, log analysis, killing a comprehensive safety inspection webshll, system layer, application layer. How to find the hacker invasion came in and repair the corresponding vulnerability in order to truly solve such problems.