Shangpin China provides you with complete website solutions and operational technical support

Attack steps

target of attack

Hacking

Countermeasures

Supplementary notes

Step 1: Scan the back door

Server Web Site

Scan the website running on the server for vulnerabilities, so as to upload malicious files in the next step.

The firewall prohibits scanning.

Basically, firewalls can only judge conventional malicious scanning. Attackers often scan through the 80 web port. The server should be understood as a normal access behavior. Therefore, firewalls have limited protection capabilities in this phase.

Step 2: Upload the back door

Server hard disk

Upload trojans, webshells and other malicious programs through the scanned vulnerabilities, so as to embed malicious code into website pages or databases in the next step.

Antivirus software identifies and deletes some malicious programs.

At present, the principle of anti-virus software is based on the feature code identification technology. If the malware uploaded by hackers is manually written or the latest malware tools, anti-virus software often cannot be identified normally. Therefore, at this stage, anti-virus software can eliminate 80% of the malware uploaded to the service hard disk, but cannot identify all of them.

Step 3: Embed code

Website page file and database

Embed malicious code into website page files and databases through uploaded trojans or webshells.

Lock the page file modification permission, and add the database tamper proof code module.

Locking page file modification permissions is more effective, but for database tamper resistant code, because of the diversity of embedding methods, only about 60% of the database embedding behavior can be prevented, but setting the website database as access file data without storage procedures and runtime environment can effectively prevent database tampering.

Step 4: Website is attacked

Website page file and database

The website page and database already contain malicious code.

Page code separation software removes malicious code from website pages in batches; The database cleaning script cleans the malicious code in the database.

In principle, the cleaning process can generally be completed within 2 minutes and does not affect the original data of the website. However, considering the specific implementation situation, it generally takes longer to respond to the request for data cleaning.

In principle, the embedded malicious code is just a link to call a remote page. Because there are trojans or other malicious programs on the called remote page, website visitors will be prompted to find trojans or viruses when visiting, but the embedded code is completely reasonable and harmless in program syntax or characteristics, Therefore, the anti-virus software on the server cannot make any response at all, and the attached code can only be cleared manually.