What is the first thing to do after a website is hacked? 99% of people have the wrong answers.

What are you most afraid of after building a website? It was not that traffic was low, but that when I opened my official website in the morning, I found that I had jumped to gambling websites, pornographic pages, or the page content had been changed beyond recognition.

I have received many similar requests recently:"Customers clicked on the website and turned into XX live broadcasts","Baidu searched for our company name, and clicked on was an advertisement for someone else's home","The background login page disappeared into thin air."

It's like opening a physical store and finding that the door number had been changed when you arrived at the door in the morning, and a group of strangers were sitting inside doing business. This is called website hijacking/tampering.

Many bosses 'first reaction when encountering this is to restart the server or call the programmer to change the password.But this often treats the symptoms rather than the root cause, and may even eliminate the evidence.

Today, we use a vernacular article to tell you what to do when encountering this situation and whyIt is best to hand it over to professional operation and maintenance。

1. Three-step first aid: As a boss/administrator, what to do now?

If the website is hacked, please proceed in order and do not jump!

Step 1:[Brake Now]-Don't blindly change the password, save the scene first

The instinctive reaction of many non-technical personnel is to log in to the background and change complex passwords. Wait!

If a hacker has left a "backdoor program" on the website, changing your password will not stop him. Instead, it will overwrite the hacker's access log, causing subsequent professional investigations to fail to find the source.

Correct practice: Notify your operation and maintenance service provider to maintain the status quo of the server,Don't restart, don't reinstall。

Step 2:[Physical Isolation]-Cut traffic, do not shut down

If the website content involves illegal gambling or pornography and is complained by customers, it is recommended to suspend the resolution at the domain name resolution office (or temporarily resolve it to 127.0.0.1), so that the website displays "Under Maintenance".

Remember: Do not turn off the server directly. When the server is on, the virus process in memory is still there, making it easier to catch the current situation; when the server is shut down, some stubborn viruses start up automatically, but it will be more difficult to check.

Step 3:[Quick self-examination]-These places are the easiest to leak air

If you know a little about technology, you can take a look at these hardest hit areas first (just leave them to us later):

Check the root directory:index.php or index.htmlmodification timeWas it in the last few hours?

Check the copyright at the bottom:Use Ctrl + F to search the source code to see if there is any hidden link to the gambling keyword for display: none.

2. Why don't we recommend customers to "kill viruses" themselves?

Many customers think that "programmers can write code, so they should be able to kill viruses?" Here is a cognitive gap:

Development for writing code versus security for operation and maintenance

Programmers who write code are likearchitectural designer, responsible for building a building.

Create a safe operation and maintenance imagesecurity companies, responsible for preventing thieves, arresting thieves, cleaning up traces, and strengthening doors and windows.

The risks of doing it yourself are extremely high:

Cannot delete cleanly:The "one-sentence Trojan" left by hackers may be disguised as pictures and hidden in hundreds of folders, and cannot be found with the naked eye for ten years.

Blocked by search engines:If the page is hung with a dark link (hidden gambling link),Baidu, GoogleAfter detection, your website will be marked as a "dangerous website" and the traffic will be directly returned to zero. This stain will take a long time to be cleared away.

All data lost:The most common ransomware will fully encrypt customer data and product pictures on your website. Changing the password triggers the virus logic, and the file will no longer be opened.

3. How does professional operation and maintenance fundamentally solve problems?

Since you are reading this article, let's talk:Ask us to deal with it. What can we help you do that others cannot?

1. Comprehensive "flaw detection" scanning without leaving dead spots

We are not using 360 antivirus, but for the underlying Linux/Windows server. WebShell killing toolandAbnormal process monitoring。We're looking for the oneThe "backdoor process" hidden behind normal procedures。For example, some Trojans will hide the code in the system's planned tasks and automatically download the virus from the overseas IP every hour. Changing the password is useless.

2. Traceability to the log-find "How did the door open"

The most confused point for many customers is: "My password is particularly complicated. How was it hacked?"

By analyzing server logs, we will tell you the truth:

Are you using a cracked version of the theme/plug-in? (WordPress hardest hit areas)

Is it a loophole in the website next door that implicates your website? (Cross-site pollution)

Did the FTP password leak in the cafe WiFi?

Only by finding the entrance and blocking it can we ensure that it will not happen again tomorrow.

3. Search engine "whitewashing" service

After the website is repaired, if you find that the search company name results say "This website may contain malware", we can help submit a Baidu/Google malware complaint to restore your official website's credibility as soon as possible.

4. Disaster preparedness and migration

If the server environment is already rotten (such as infected with a stubborn mining virus), we will help you implement it.

- -Build a clean environment on the new server, move the database and pictures cleanly, and destroy the old server directly. The entire journey will not affect daytime business.