What should I do if discuz is hanged? 360 Search Snapshot Hijacking Solutions

Today, I helped a stationmaster solve a casediscuzFor the case of website snapshots being hijacked, let me talk about the specific solution process:

1. Performance of website snapshot hijacking

Enter site:www.xxx.com into search engines such as Baidu and 360, and the results contain illegal information such as pornography, gambling and drugs.

The main manifestation of snapshot hijacking on this website is that snapshots in 360 and Sogou are hijacked, while Baidu's are not hijacked.

360 search snapshot hijacked

It can be concluded from this information that this hijacking case was judged procedurally and specifically hijack 360 search.

Why did 360 hijack instead of Baidu Snapshots?

I think the reason should be that as webmasters, there are many people who use the site command in Baidu to check the listing status of a website. Once a website is hung up, it will be discovered quickly.

However, not many webmasters use the site command in 360 searches, so that hanging horses are not easy to detect and can be retained for a longer time.

2. Use the discuz background tool-file verification to check abnormal files

All webmasters who use discuz to build websites must learn to use this tool. It can guide you to quickly narrow down the scope of file inspections.

After checking with this tool, we found that the index.php and portal.php files in the root directory of the website showed signs that they had been changed recently.

After overwriting the above 2 files with the source file, snapshot hijacking still exists.

3. Suspicious catalogs were identified based on previous experience in investigating hanging horses

I saw the suspicious file "0".

This file is hidden with the suffix name, so it is generally not easy to discover.

After downloading the file locally, opening it with notepad++, and finally discovering its true colors.

The content in the above red box is encrypted and has been decrypted by me in order to better understand where the horse is hanging.

In the bottom red box, we see a "document_root". After decryption, we get a directory address: **/b6/

After finding the relevant directory, we found that an exception was found under the b6 directory.

Exception 1: There are two extra folders: news and work

Open the file and see that there are files such as txt/jpg inside. Looking at the similarity between the txt content and the hijacked content of the website snapshot, you can basically confirm that these two directories are hanging horse files.

The red box is the hanging horse file, and the blue box is the normal file

Exception 2: There are 11 pictures arranged in order in the b6 directory, but after downloading them locally, none of them display thumbnails, and after opening them with picture software, they show that they are corrupt.

Then use notepad to open it and try it:

Do you see the content in the red box?

What this code means is to determine the type of search engine and then do targeted jump hijacking.

4. Delete all suspicious files and overwrite the modified files with the source files

The most important step came. We deleted all the suspicious directories and files found above, and then used the source files to overwrite the website to ensure that there were no omissions.

Enter 360 search and use the site command, click on the hijacked link to see if it is normal.

5. Complaint about deleting hijacked snapshots

Although I have helped eliminate hanging horse files, hijacked snapshots will still exist in search engines for some time.

The next thing you need to do is go to the search engine to complain and delete the snapshot so that the snapshot can return to normal.

Complaint deletion snapshot

So far, the problem of website snapshots being hijacked has been solved.

What are the dangers of snapshot hijacking

If a snapshot is hijacked, the first is that it will mislead website users, causing users to distrust the website, which in turn will lead to the loss of website users.

The second will cause search engines to downgrade websites and rank websites. Traffic, etc. are affected.

So, for the security of your website, please do the following:

1. The server password must be more complex and it is best to change it regularly;

2. Timely repair of server program vulnerabilities;

3. Download plug-ins, templates, etc. from regular websites as much as possible without using pirated products;

4. Develop the good habit of making regular backup of websites.