What to do if dedecms is hacked

What to do if dedecms is hacked

If your website is hacked and a backdoor file is uploaded, generally There may be more than one backdoor, and there may be many backdoor files, and they will be disguised as normal files. If you want to remove them, you can generally remove the virus files in the original program by searching for backdoors. This method takes a long time, and there are inevitably some omissions. .

The method and idea introduced in this article is: only retain absolutely safe content, and cover online programs with new and safe program files, which can prevent backdoor residues to the greatest extent and make the website as new as ever. This idea can be applied to most programs, such as dz, etc.

1. Back up the files in the compromised website directory and backup the database (to retain evidence and data)

Back up first and then operate, super important! ! !

Back up the program files through compression and packaging, and then back up the data inventory into sql files through phpmyadmin to back up the data to prevent data loss after misoperation.

Prompt again, ↑↑↑ This step is super important!

　------The following are the quick recovery steps after dedecms is invaded------

2. Download the new Dreamweaver program and unzip it locally , do preliminary security processing

Go to the official website of Dreamweaver to download the new program package: http://www.dedecms.com/products/dedecms/downloads/, please pay attention to the corresponding encoding version, it is recommended to use UTF-8 version, more compatible.

1. Delete the following folders: /member, /special, /install, /templets/default (if you need the membership function, you can keep the /member directory).

　2. The /plus folder only retains the following contents: /plus/img, /plus/count.php, /plus/diy.php, /plus/list.php, /plus/search.php, /plus/view.php, delete everything else.

　3. Rename the /dede folder, which is the background login address, to a name that only you know.

3. Restore database connection files, recovery templates and uploaded image files

Find the following files from your backup package and merge them into the folder in the previous step. , note that the location and name must be covered in one-to-one correspondence.

　1. Copy /data/common.inc.php to the package and overwrite it. This is the database connection information

　2. Copy /data/config.cache.inc.php to the package and overwrite it. This is the site configuration cache. Check whether the content text in this file has been modified.

The following directories need to be processed for security first: check whether there are php, asp and other files in the directory, and delete them if they are. You can also use security scanning software, such as D-Shield, Security Dog, etc., to scan for backdoor files.

　3. Copy the template and related css, js files: /templets/template folder, /style, /css, /layout, /static, etc., according to the actual situation of your template

4. Copy /uploads to the package and overwrite it. This is the uploaded pictures, attachments, etc.

The following may be optional:

5. Copy /include/extend.func.php to the package and overwrite it. This is a custom function. If there is no secondary development, this file can be skipped

6. Other files that you have secondary developed and modified

4. Overwrite the original Site

1. Clear all files in the online site (it is recommended to stop the website first and then clear it)

2. Use FTP to upload the merged program file package to your host space, you should know this step well

After the upload is completed, your site will be restored.

Key points of this method:

1. Replace the compromised program with a new program

2. Connect the new program to the original database.

3. After recovery, please log in to the backend, check if there is any unfamiliar administrator account, and change your own administrator account password.

5. Security precautions of Dreamweaver

1. Most of Dreamweaver’s vulnerabilities come from its plug-in part (plus). By prohibiting the writing of plus and other directories, Most intrusions can be eliminated. For specific methods, please refer to another article on this site "Dreamweaver CMS Security Settings Guide" https://www.think3.cc/?id=5

2. WAF firewall: Generally, it is invaded through Scan the above locations with security risks to achieve the purpose of uploading backdoors. Most WAFs can block this type of scanning, such as nginx/apache request filtering, security dog ​​iis version, etc.

3. Program directory permissions: Most intrusions require you to first write a new Trojan horse file to your server, and then access and execute this file to achieve the purpose of modifying the entire site. Strictly setting directory write permissions and strictly setting directory executable permissions can also effectively prevent most intrusions.

For example: In nginx, the upload directory execution program can be restricted through pseudo-static rules

PHP
location ~* ^/(a|data|templets|uploads|style|css|js|static|layout|assets|cache)/.*\.(php|php5|asp|jsp|aspx|py)$ {
deny all;
}

For more dedecms technical articles, please visit the dedecms usage tutorial column!

The above is the detailed content of What to do if dedecms is hacked. For more information, please follow other related articles on the PHP Chinese website!