What should I do if my website is attacked? How to find the source of website vulnerability attacks

Many corporate websites have been attacked, causing the website to jump to other websites, especially some lottery and other illegal websites. Some websites have even been attacked and cannot be opened, and customers cannot access the homepage. , causing great economic losses to customers. Many customers come to our SINE security company to seek solutions to prevent website attacks. In response to this situation, our security department’s technology will teach everyone how to find attacks after a website is attacked. sources and detect vulnerabilities in the website to prevent the website from being attacked again.

After the website is hacked and attacked, the first thing we need to check is to package and compress the website’s access logs, save them completely, and record them according to the time of the problem reported by the customer, the characteristics of the attack, etc. Then analyze the website logs one by one. The website access log records all users’ visits to the website, as well as the pages visited, and the error messages on the website, which can help us find the source of the attack and the vulnerabilities in the website. You can also find out and fix the website's vulnerabilities.

Let’s take the website of a certain enterprise customer some time ago as an example: first look at this log record:

2019-06-03 00:01:18 W3SVC6837 202.85.214.117 GET / Review.aspx class=1&byid=23571

80 - 101.89.239.230 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NE

T CLR 2.0.50727; . NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6

.0; .NET4.0C; .NET4.0E; InfoPath.3; rv:11.0) like Gecko 200 0 0

Through the above website access log, we can see that the user’s access IP, the time of accessing the website, the Windows system used, the browser version used, and the status of accessing the website will be written 's very clear. So after the website is attacked, how to check the logs to trace the traces of the attack?

First of all, we need to communicate with the customer to determine the specific time period when the website was attacked, narrow down the log range through time, check the website logs one by one, and also detect the Trojan file names that exist on the website. , search the logs, find the file name, and then trace the attacker’s IP. Use the above clues to trace the source of the website’s attack and website vulnerabilities. The log opening tool uses notepad. Some websites use Linux servers and you can use some Linux commands to view the logs. The specific commands are as follows

Picture:

A webshell Trojan file was uploaded to a customer website. The attacker tampered with the website by accessing the script file. The title description on the homepage was tampered with the content of the lottery. Clicking on the website from Baidu jumped to other websites. The customer himself did After being promoted by Baidu, they suffered heavy losses and found us at SINE Security. We extracted the website's access logs based on the customer's attack characteristics, and traced the source of the website's attacks and the vulnerabilities in the website. We checked the access records of all user IPs on that day through time. First, we manually checked the webshell file in the root directory of the website. We searched the log through the demo.php and saw that there was an IP that was constantly accessing the file. , we extracted and analyzed all access records of the IP and found that the attacker visited the upload page of the website and uploaded the website Trojan backdoor through the upload function.

Through the IP traced through the above logs and the website access records, we found the loopholes in the website. The upload function of the website did not perform security judgment and filtering on the uploaded file format, resulting in When uploading aspx, php and other execution scripts, the upload directory of the website has not been set up for security, and the execution permission of the script has been cancelled. In response to the above situation, our SINE security repaired the customer's website vulnerability and restricted the execution of only images and other formats. File upload, secure deployment of the website's upload directory, and a series of website security reinforcements. After the website is attacked, don't panic first. You should analyze the website's logs as soon as possible to find the source of the attack and the vulnerabilities in the website. If you don’t know much about the website, you can also find a professional website security company to handle it. Let the professionals do the professional things. Whether it is the website’s logs or the website’s source code, we must use them to find them thoroughly. The root cause of website attacks.

For more Linux articles, please visit the Linux Tutorial column to learn!

The above is the detailed content of What should I do if my website is attacked? How to find the source of website vulnerability attacks. For more information, please follow other related articles on the PHP Chinese website!