Invisible, it means that the road is in the same way as Xiyi;
This system article is divided into four parts, which are tactics, tools, hidden articles, and summary articles. This article is an invisible article, mainly introducing some stealth methods in black hat seo. Black hat seo differs from other black production behaviors in that it takes time to create value. If it is reselling data, it only needs to invade the server to leave the pants, and the black hat seo needs to lurk on the server for a while, because it mainly relies on drainage to create value. So how to do it without being discovered by the server operation and maintenance is crucial, and it is also the key to the ultimate success of the black hat seo behavior.
In the handling of some intrusion emergency response incidents, we found that some websites were hanged malicious pages for months or even years, during which time the administrator was not aware of it. Sometimes this is not the carelessness of the administrator, but the hacker is too embarrassed. After understanding the webpage hijacking method I introduced earlier, I think you can probably understand the reason. The webpage hijacking can control the content of the jump control page, which is the main reason that it is difficult for administrators to find out. In addition, the parasite program can automatically generate web pages, which makes it very viable and difficult to eradicate. Secondly, after we find that the website is hanged with malicious web pages, we usually log in to the server for viewing. Sometimes it is difficult to find script files that have been illegally altered or maliciously implanted, because this type of file is carefully hidden by hackers. So in addition to the above means, what other methods does the hacker have to hide itself and make it live?
The control jump in web hijacking is to hide the fact that the website has been hacked, making it difficult for webmasters to find out.
Set up a directory agent by configuring a middleware configuration file such as nginx/apache to proxy a directory on the server to a directory on the server. That is, when the viewer opens the thief.one/2016/ directory, the actual access to the resource is a directory on the server (the target server will go to the server to get the data). This method does not need to modify the target server website source code, only need to modify the middleware configuration file, it is not easy to be deleted and not easy to be found.
Set the property hiding for the file. I have encountered such an event. At that time, a technician selected a file from a batch of web directories on the server for copying. When we scanned these files, we found no abnormalities and everything became incredible. The final result made us laugh and cry. The original malicious file was set to be attribute hidden. The technician who observed it through the naked eye did not copy the file, so this is an effective blind method.
An undead file refers to a webshell that cannot be deleted or an illegal page file (.html or dynamic file). Such an event has not been encountered in practice, but it is theoretically feasible.
One or more of the directory names. (dot, period)
This directory cannot be deleted manually, of course the command line can be deleted.
In fact, it is the system device name. This is the file name reserved by the Windows system. The common methods cannot be accessed. The main ones are: lpt, aux, com1-9, prn, nul, con, for example: lpt.txt, com1.txt, aux.txt , aux.pasp, aux.php, etc.
There are still many methods, not enumerated one by one.
[Summary of Black Hat SEO Analysis] (https://thief.one/2017/09/28/4/)
[Invisible article of black hat SEO analysis] (https://thief.one/2017/09/28/3/)
[Black Hat SEO Analysis Tool] (https://thief.one/2017/09/28/2/)
[Black Hat SEO Anatomy] (https://thief.one/2017/09/28/1/)