Need to use the tools filemon Download: the FileMon for Windows v7.04
Last Friday night customers have received a response, site opens very slowly, and there are a lot of betting Baidu search information, open still be able to open. The first reaction is that the site was linked to horse. When the site opens from Baidu snapshot program must add a judge to the betting site sources.
So by downloading server security dog and WebShellKiller tools to detect, and then manually check the js dynamic and relevant documents are not found traces of Trojan. Suspected iis own problems.
Then again analyzed from Baidu snapshot opened web page and found a lot of sites in the file server's folder did not exist, if you do not open the Baidu snapshots directly enter the URL to open a 404 error. Proof of this directory on the server site folder does not exist, there is no virtual directory.
By Baidu Webmaster Tools, all Web sites on the server through the analysis and diagnosis crawlers have added a piece of code:
Which proves the problem is not a single site, so close to all sites, set up a test environment
Website directory file
plus the referer header on: https: //www.baidu.com
header analysis [To illustrate the header references another site]
Direct access to URL 404s
Suspect may be illegal iis loaded modules, in order to quickly recover, so plan to reinstall iis re-test next. ,
iis backup site (does not back up the source files)
appcmd command location: C: \ Windows \ System32 \ inetsrv
Backup command: appcmd.exe add backup backupname (backup name)
Address of the backup file (this file can be copied to other places)
List Backup:
appcmd.exe list backup
Backup recovery
When restoring a backup, IIS stops running, and rewrite the state of the server. Once the configuration file is rewritten, IIS then restarts. If you do not want to stop and restart IIS, you can use the / stop: false. In this way, you can stop at the right time is running IIS manually, and manually restart the IIS
appcmd.exe restore backup /back.name:"XXX" /stop:false
appcmd.exe restore backup /backup.name:"XXX"
Deleting a Backup
appcmd.exe relete backup XXX
After a good backup, delete the following folders :( not automatically deleted when you delete iis, need to be removed manually, it is best to back up what is deleted)
C:\Windows\System32\inetsrv
C:\Windows\SysWOW64\inetsrv
C:\inetpub
Refer to remove IIS: https://jingyan.baidu.com/article/bad08e1e85e98009c951216e.html
After you remove and then follow the delete function to remove the windows again add another plus. After the addition, the default request the test site, and there is no problem, it shows what iis no problem
So then restore the backup iis test by appcmd command when the site again a problem hijacked Baidu snapshots, which may be suspected site configuration which may place a problem, look through Baidu, finally find a process server monitoring tools filemon,
This tool can monitor the event processing procedure specified process
After downloading, filter (ctrl + L shortcut)) is set to display only the w3wp.exe process
Path (Path) Set includes (contains) hot2019 path name, and then click Add (Add) Click OK to the following
After analyzing the request, tests.szqj.com when sending the request to the server, and the server sends the same Ip address request, through this guess is spinach information request returns data, then through the firewall shielding, the shield IP, and then by sources Baidu is not the test data. The next step is to analyze this w3wp. exe problem is how to request IP data, and is looking in, to be continued.