How to deal with website domain name hijacking
Source: Shangpin China |
Type: website encyclopedia |
Time: 2015-02-21
We all know that there are always security problems on the Internet, such as DDOS attacks, domain name hijacking, trojans controlling the host, web page tampering, and network counterfeiting. Among these, domain name hijacking has the greatest impact and harm on websites. The search engine is an important tool for our daily network information retrieval. You can retrieve the information you need only by entering keywords. This information is actually a snapshot of the website by the search engine, and the snapshot itself has security problems, Therefore, we will find that the website title and description on the snapshot of some websites are different from the website itself. this paper Marketing website construction The company Shangpin China will analyze and summarize some reasons and countermeasures for domain name hijacking.
1. Domain name hijacking
At present, there are many products providing search engine services, such as Baidu, Google, Sogou, Youdao, etc. Their application technologies are quite different. The core technologies are generally regarded as the company's technical secrets, which we do not know, but there is a data snapshot stored on the search engine server. When users input keywords, The search engine searches on the snapshot server through the search function, and lists the results in order by the time they are included or other indexes to provide information for users.
However, in the process of use, if a website is implanted with a Trojan program, it means that a website is searched through a search engine, and the website name and domain name in the search results are consistent with the actual situation. When opening this website, the first 1 to 2 seconds are the resolution of the website domain name when opening the website, there is no exception, but after about 1 second, the website opened is another website or an illegal website, The IP address of domain name resolution is correct without any exception.
Similar problems are often referred to as "domain name hijacking". There are many reasons for this. With the increasing popularity of Internet applications in social life, the network environment has become increasingly complex and changeable. This phenomenon warns website administrators to attach great importance to network security and constantly improve their ability to deal with new security threats.
2. Injected code
Injecting code and embedding trojan files are common techniques used by hackers. When injecting code, when the injected file is accessed by any viewer, the injected code starts to work. Using the FSO function of the system, a trojan file is formed. The hacker uses the trojan file to control the server, not just the folder where the Web is located. Of course, Some hackers do not need to control the server. They just inject some black links into the Web files. When they open the website, no extra content will appear, but the opening speed is many times slower than normal, because the entire website will not be fully opened until these black links take effect. If it is a black link, it only needs to be cleared, but the file is planted with trojans or characters, It is difficult to find.
3. Main features
After repeatedly searching for the reasons, the main characteristics of domain name hijacking were found. After analyzing the characters embedded by hackers, The use of the "window. location. href 'js statement will also cause the website management to fail to log in. After the administrator enters the user name and password in the management login window, when the user passes the authentication, some information of the user will be transferred to other files through the session, but The "window, location. href" statement makes the authentication phase impossible, and the user's form cannot be submitted to the authentication file normally. If the system uses the authentication code, the "window. location. href" statement can make the authentication code expire, and the entered authentication code is invalid, causing the website to fail to log in normally.
These features mainly include the following:
(1) Highly technical
By making full use of the characteristics of MS Windows, the file is stored in a folder, and special characters are processed for this file. Normal methods cannot be deleted, copied, or even seen. It is only detected that there are trojan files in this folder, but they cannot be viewed (the system completely displays hidden files), and they cannot be deleted or copied.
(2) Strong concealment
The generated trojan file name is very similar to the file name of the Web system. If it is identified from the file name, it is impossible to judge. Moreover, these files are usually placed in many levels of subfolders under the web folder, making it impossible for administrators to find them. The characters planted in the file are also very hidden, only a few characters, and generally cannot be found.
(3) Highly destructive
If a site is planted with trojans or characters, the whole server is equivalent to being completely controlled by hackers, which can be considered as devastating. But these hackers do not aim to destroy the system, but use the Web server to hijack the website they want to display. Therefore, if some websites are hijacked, they will be transferred to some illegal websites, causing adverse consequences.
4. Coping methods
Through the analysis of the causes, it is mainly to obtain read and write permissions on the website server, website files and folders. In view of the main causes and ways of the problem, it is possible to prevent and eliminate the problem of domain name hijacking by using the security settings of the server and improving the security of the website program.
(1) Check the event manager and clean up suspicious files in the Web site
There is an event manager in the Windows network operating system. No matter how the hacker obtains the operation authority, the event manager can see the exception. Through the exception event and date, the change of the file within the date can be found in the Web station. For the file that can execute the code, it is necessary to check whether it is marked with code or changed, Clean up the newly added executable code files.
(2) Configure Web site folder and file operation permissions
In the Windows network operating system, the super administrator permission is used to configure permissions for Web site files and folders. Most of them are set to read permissions, and write permissions are used carefully. If the super administrator permission cannot be obtained, the trojan cannot take root, and the possibility of website domain names being hijacked can be greatly reduced.
(3) Strengthen the anti SQL injection function of the website
SQL injection is a method to use the characteristics of SQL statements to write content to the database so as to obtain permissions. When accessing the MS SQL Server database, do not use the sa default user with large permissions. You need to establish a dedicated user who only accesses the system database and configure it as the minimum permissions required by the system.
Source Statement: This article is original or edited by Shangpin China's editors. If it needs to be reproduced, please indicate that it is from Shangpin China. The above contents (including pictures and words) are from the Internet. If there is any infringement, please contact us in time (010-60259772).
