With the recent exposure of Alipay security vulnerabilities, network security issues have become increasingly serious. As an information security practitioner, I feel a heavy burden on the shoulders, and the road is long-term. However, it is foreseeable that in the near future, there will be a contest between the black hat and the white hat, and all major fields of the major industries will be involved, which means that the battle between life and death cannot be overemphasized. In order to prepare for the future decisive battle, at this moment we must fully understand these unknown and mysterious opponents.
There are many forms of black production, some of which are direct type, such as invading web servers to obtain data and reselling; some forms are more concealed, such as search engine hijacking to obtain traffic, seemingly quiet and hidden behind a lengthy Black chain.
When I talked to my friends about the word “hacker”, the feelings in their minds are often mysterious and distant…but they are close to us. Responsible for customer website security is one of my daily tasks. In addition to analyzing the security vulnerabilities of websites, I also analyze the overall security of the website through some common tools, such as search engines. I believe that most people are exposed to search engines every day, but there may be some details we have never paid attention to, and invisibly, we may become part of the black industry chain.
Search engines are the most direct way for each website to reach customers, and I believe that most people visit websites with the help of search engines. For me, search engines have another feature that looks at the status of a website (ranking, inclusion, security, etc.).
Generally speaking, every day I open the search engine to check the security of the website. Today is no exception. However, when I am querying information about a customer’s website, there are some strange and sensitive contents:
Gaming-related content (excluding news pages) appeared on a government website, which is obviously not compliant. Excluding the addition of administrator errors, I am afraid that this site is mostly hacked. With a cautious attitude, I decided to study it in depth.
First I visited the link on the record, and then a normal government page appeared in the browser, and between the two, the page instantly jumped to the betting page.
Figure 1 shows the normal government page:
Figure 2 shows the betting page:
You can see that the domain name of the betting page is www.0980828.com, apparently not the previous government website domain name xxxx.gov.cn. Seeing this phenomenon, combined with years of security experience, I can roughly guess that this site should be hijacked by search engines. The so-called search engine hijacking is currently a favorite method of blackboard SEO or black production. This method often modifies the website source code, puts the parasite program, and sets the level 2 by invading the government and educational institutions website (high weight). Directory reverse proxy and other implementations. Search engine hijacking can be divided into server hijacking, client hijacking, Baidu snapshot hijacking, Baidu search hijacking, etc.; the form of expression can be hijacking jump, or it can be hijacked web content, which is widely used in private services, gaming, etc. Profiteering industry.
By analyzing the data packets of the above process, it is not difficult to find that an illegal code is embedded in the front page of the website.
This code is stored on the 126.96.36.199 server, view the server information and find it in Japan.
By accessing this code, the return content is to go to www.0980828.com.
At this point, we can easily find that the reason for the page jump is that the xxxx.gov.cn webpage is illegally embedded with a code that can control the jump to the betting page when accessing the web page. This is the most basic and common way of search engine hijacking. There are many variants and different types of methods. According to the survey of a period of time, I also summarized some related content. For details, please refer to [Search Engine Hijacking Analysis] ( http://thief.one/2016/10/12/%E9%BB%91%E5%B8%BDSEO%E4%B9%8B%E7%BD%91%E9%A1%B5%E5%8A%AB %E6%8C%81/)
When government websites are linked to sensitive content such as gambling, the harm is self-evident. After the seriousness of the problem, I immediately contacted the webmaster to inform them of the details and help them rectify. We must understand that search engine hijacking is not a loophole, it is just a form of black production. Therefore, in order to solve the problem of search engine hijacking, we must first solve the security problem of the website itself.
Think back to it. Once upon a time, when we opened a normal web page through a search engine, there was a situation of jumping to other illegal pages. Most likely, it was a website hijacked by search engines, and when we clicked on the link, it became part of the black industry chain because we brought traffic to it.
Summary: In this era of rapid development of information, user traffic is an invisible gold wealth