What should I do if my website is attacked? How to find the source of website vulnerability attacks-Linux Operation and Maintenance-php.cn

Home

Operation and Maintenance

Linux Operation and Maintenance

What should I do if my website is attacked? How to find the source of website vulnerability attacks

步履不停

Jun 25, 2019 pm 03:51 PM

loopholes

What should I do if my website is attacked? How to find the source of website vulnerability attacks

Many corporate websites have been attacked, causing the website to jump to other websites, especially some lottery and other illegal websites. Some websites have even been attacked and cannot be opened, and customers cannot access the homepage. , causing great economic losses to customers. Many customers come to our SINE security company to seek solutions to prevent website attacks. In response to this situation, our security department’s technology will teach everyone how to find attacks after a website is attacked. sources and detect vulnerabilities in the website to prevent the website from being attacked again.

After the website is hacked and attacked, the first thing we need to check is to package and compress the website’s access logs, save them completely, and record them according to the time of the problem reported by the customer, the characteristics of the attack, etc. Then analyze the website logs one by one. The website access log records all users’ visits to the website, as well as the pages visited, and the error messages on the website, which can help us find the source of the attack and the vulnerabilities in the website. You can also find out and fix the website's vulnerabilities.

Let’s take the website of a certain enterprise customer some time ago as an example: first look at this log record:

2019-06-03 00:01:18 W3SVC6837 202.85.214.117 GET / Review.aspx class=1&byid=23571

80 - 101.89.239.230 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NE

T CLR 2.0.50727; . NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6

.0; .NET4.0C; .NET4.0E; InfoPath.3; rv:11.0) like Gecko 200 0 0

Through the above website access log, we can see that the user’s access IP, the time of accessing the website, the Windows system used, the browser version used, and the status of accessing the website will be written 's very clear. So after the website is attacked, how to check the logs to trace the traces of the attack?

First of all, we need to communicate with the customer to determine the specific time period when the website was attacked, narrow down the log range through time, check the website logs one by one, and also detect the Trojan file names that exist on the website. , search the logs, find the file name, and then trace the attacker’s IP. Use the above clues to trace the source of the website’s attack and website vulnerabilities. The log opening tool uses notepad. Some websites use Linux servers and you can use some Linux commands to view the logs. The specific commands are as follows

Picture:

What should I do if my website is attacked? How to find the source of website vulnerability attacks

A webshell Trojan file was uploaded to a customer website. The attacker tampered with the website by accessing the script file. The title description on the homepage was tampered with the content of the lottery. Clicking on the website from Baidu jumped to other websites. The customer himself did After being promoted by Baidu, they suffered heavy losses and found us at SINE Security. We extracted the website's access logs based on the customer's attack characteristics, and traced the source of the website's attacks and the vulnerabilities in the website. We checked the access records of all user IPs on that day through time. First, we manually checked the webshell file in the root directory of the website. We searched the log through the demo.php and saw that there was an IP that was constantly accessing the file. , we extracted and analyzed all access records of the IP and found that the attacker visited the upload page of the website and uploaded the website Trojan backdoor through the upload function.

What should I do if my website is attacked? How to find the source of website vulnerability attacks Through the IP traced through the above logs and the website access records, we found the loopholes in the website. The upload function of the website did not perform security judgment and filtering on the uploaded file format, resulting in When uploading aspx, php and other execution scripts, the upload directory of the website has not been set up for security, and the execution permission of the script has been cancelled. In response to the above situation, our SINE security repaired the customer's website vulnerability and restricted the execution of only images and other formats. File upload, secure deployment of the website's upload directory, and a series of website security reinforcements. After the website is attacked, don't panic first. You should analyze the website's logs as soon as possible to find the source of the attack and the vulnerabilities in the website. If you don’t know much about the website, you can also find a professional website security company to handle it. Let the professionals do the professional things. Whether it is the website’s logs or the website’s source code, we must use them to find them thoroughly. The root cause of website attacks.

For more Linux articles, please visit the Linux Tutorial column to learn!

The above is the detailed content of What should I do if my website is attacked? How to find the source of website vulnerability attacks. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Linux Operations: Utilizing the Maintenance ModeApr 19, 2025 am 12:08 AM

Linux maintenance mode can be entered through the GRUB menu. The specific steps are: 1) Select the kernel in the GRUB menu and press 'e' to edit, 2) Add 'single' or '1' at the end of the 'linux' line, 3) Press Ctrl X to start. Maintenance mode provides a secure environment for tasks such as system repair, password reset and system upgrade.

Linux: How to Enter Recovery Mode (and Maintenance)Apr 18, 2025 am 12:05 AM

The steps to enter Linux recovery mode are: 1. Restart the system and press the specific key to enter the GRUB menu; 2. Select the option with (recoverymode); 3. Select the operation in the recovery mode menu, such as fsck or root. Recovery mode allows you to start the system in single-user mode, perform file system checks and repairs, edit configuration files, and other operations to help solve system problems.

Linux's Essential Components: Explained for BeginnersApr 17, 2025 am 12:08 AM

The core components of Linux include the kernel, file system, shell and common tools. 1. The kernel manages hardware resources and provides basic services. 2. The file system organizes and stores data. 3. Shell is the interface for users to interact with the system. 4. Common tools help complete daily tasks.

Linux: A Look at Its Fundamental StructureApr 16, 2025 am 12:01 AM

The basic structure of Linux includes the kernel, file system, and shell. 1) Kernel management hardware resources and use uname-r to view the version. 2) The EXT4 file system supports large files and logs and is created using mkfs.ext4. 3) Shell provides command line interaction such as Bash, and lists files using ls-l.

Linux Operations: System Administration and MaintenanceApr 15, 2025 am 12:10 AM

The key steps in Linux system management and maintenance include: 1) Master the basic knowledge, such as file system structure and user management; 2) Carry out system monitoring and resource management, use top, htop and other tools; 3) Use system logs to troubleshoot, use journalctl and other tools; 4) Write automated scripts and task scheduling, use cron tools; 5) implement security management and protection, configure firewalls through iptables; 6) Carry out performance optimization and best practices, adjust kernel parameters and develop good habits.

Understanding Linux's Maintenance Mode: The EssentialsApr 14, 2025 am 12:04 AM

Linux maintenance mode is entered by adding init=/bin/bash or single parameters at startup. 1. Enter maintenance mode: Edit the GRUB menu and add startup parameters. 2. Remount the file system to read and write mode: mount-oremount,rw/. 3. Repair the file system: Use the fsck command, such as fsck/dev/sda1. 4. Back up the data and operate with caution to avoid data loss.

How Debian improves Hadoop data processing speedApr 13, 2025 am 11:54 AM

This article discusses how to improve Hadoop data processing efficiency on Debian systems. Optimization strategies cover hardware upgrades, operating system parameter adjustments, Hadoop configuration modifications, and the use of efficient algorithms and tools. 1. Hardware resource strengthening ensures that all nodes have consistent hardware configurations, especially paying attention to CPU, memory and network equipment performance. Choosing high-performance hardware components is essential to improve overall processing speed. 2. Operating system tunes file descriptors and network connections: Modify the /etc/security/limits.conf file to increase the upper limit of file descriptors and network connections allowed to be opened at the same time by the system. JVM parameter adjustment: Adjust in hadoop-env.sh file

How to learn Debian syslogApr 13, 2025 am 11:51 AM

This guide will guide you to learn how to use Syslog in Debian systems. Syslog is a key service in Linux systems for logging system and application log messages. It helps administrators monitor and analyze system activity to quickly identify and resolve problems. 1. Basic knowledge of Syslog The core functions of Syslog include: centrally collecting and managing log messages; supporting multiple log output formats and target locations (such as files or networks); providing real-time log viewing and filtering functions. 2. Install and configure Syslog (using Rsyslog) The Debian system uses Rsyslog by default. You can install it with the following command: sudoaptupdatesud

See all articles