Root Cause Analysis and Countermeasures of Common Issues of Enterprise Websites-阿里云开发者社区

开发者社区> 芷沁> 正文

Root Cause Analysis and Countermeasures of Common Issues of Enterprise Websites

简介: Let us start with this, have you ever received e-mails such as "notification for high-traffic customers," or "notification for high resource-consuming


If you are responsible for your company's website, and your site rents virtual hosts, this article will definitely be of interest to you.

Let us start with this, have you ever received e-mails such as "notification for high-traffic customers," or "notification for high resource-consuming customers"? Or the site been closed by the access provider, or the website backend management system unable to sign in to? Or it was impossible to upload files in the backend? This article specifically talks about the "Root cause analysis of common issues of enterprise websites (soaring resource usage, high traffic and Trojan infection) and its countermeasures."

To work out a thorough solution to the problem, we must know the cause; to know the cause, we must analyze the problems on the website, which may be as follows:

  1. Suspicious files are uploaded to the website
  2. Data is injected to the database and there is a lot of spam information in the news and product systems
  3. Malicious bumping in the message board, and a lot of spam messages appear.
  4. Malicious bumping in the membership system, and a large number of spam members appear.
  5. The comments system is compromised, and there are numerous spam comments.
  6. Many spam text links or garbled characters appear on the home page, the content pages and even the management backend.
  7. You are unable to sign in to backend or cannot publish articles.

Part 1: Soaring resource usage

The cause and countermeasures for 'suspicious files uploaded to the website':

The access provider (such as HiChina) will list the resource-consuming files and present the evidence (you may send an e-mail notification, or you can directly call HiChina for inquiry). You can directly delete those resource-consuming files using FTP. In addition, the evidence will not show all the resource-consuming files, and administrators will need to locate the remaining files on their own. Some files on the website host are necessary, and some are suspicious, which needs investigation, file by file. If one fails to conduct proper cleaning for the suspicious files, it is a possibility that the remaining suspicious files will again consume resources in the near future.

How is a suspicious file uploaded?

Channel 1: Many small (enterprise) websites adopt online available open-source CMS (content management system) as their backend system, such as DEDECMS and numerous other small CMS's. Some website building companies claim to have self-developed CMS, which is in fact just an improvement based on a CMS. These CMS's are open-source and publicly available, making them vulnerable. Hackers take advantage of these vulnerabilities to upload suspicious files to the website hosts.

Channel 2: Often, someone divulges the website FTP password, such as when the company changes the person in charge of its website or the technology of the company website. Or the password is too simple hence easy to crack, or for various other reasons. With the password, hackers can operate the website at will and cause damage.

Channel 3: There is a super administrator (ADMIN) in the backend system of every website, who has the highest privilege to manage the website. If the password leaks or hackers manages to crack it, they can operate the website at will.

Channel 4: A server may carry hundreds or thousands of websites. If someone manages to penetrate or attack a website and successfully uploads a virus or Trojan to the server, it will affect the other websites on the same server.

The above are temporary solutions. What is the permanent cure?

If one fails to clean up all suspicious files, or fails to identify all the root causes, it will not take long for you to receive "resource-consuming files," or "high traffic" notifications. Since your website was once a part of the hackers' "bots" list, hackers will keep patronizing and employ your website every two or three days for a period of maybe as long as one month, or as short as around three days. HiChina, a leading Internet application service provider in China, allows any website up to three attempts to activate itself in a month, failure to which the website has to wait until the next month for activation.

The reasons behind the high resource consumption and high traffic on a website are complicated. People involved should examine the root causes carefully and look for permanent solutions for each of them.

Solution to Channel 1: If the website uses open-source CMS and is not considering changing the CMS in the near future, it should ensure that it installs the latest CMS patches at the earliest opportunity. Post that, the CMS patches should have a periodic manual upgradation schedule set-up and followed. Open-source CMS releases patches from time to time, and you can choose to update the patches either automatically or manually.

Solution to Channel 2 and Channel 3: Change the FTP password once a month, and change the website super administrator password regularly. It is recommended to set the password to more than 8 characters, including a mix of upper-case letters, lower-case letters and numbers. If the website administrator changes, you must consider changing the password as well.

Solution to Channel 4: This one is a challenging one but proves to be more feasible. As a solution, we can back up the website on a regular basis. Once there is a large scope of change to the website, the website can be recovered with the latest backup file.

Part 2: High traffic

First, let us talk about what the traffic is. In addition to different space requirements of webpages, virtual hosts for the website also have a parameter which often goes unnoticed – "traffic". For example, the HiChina M3 host has a webpage space of 1GB with a traffic ceiling of 30 GB per month. HiChina will send you a notification once the monthly traffic exceeds this limit. Now, how do we analyze the traffic?

For example, your website has a video with a size of 30MB. After one netizen watches the video, the consumed traffic will be 30MB. If 1,000 people watch the video within one week, the consumed traffic will be 30GB. A website homepage will usually contain HTML, images, CSS, JS and other files, altogether coming up to a total of between 2MB to 5MB as per estimation. Once a netizen opens the homepage, the browser will download these files from the virtual host of your website to view the homepage normally. In addition to accessing the home page, the netizen will also visit other pages, product images, or videos. With the addition of these resources, a single access to your home page by a netizen will consume between 10MB to 20MB of traffic. Based on estimates, 30GB of traffic can support the visits of 1,000-3,000 visitors within a month, about 100 visitors per day on average. For websites of small enterprises that make little to no website promotion, 30GB of traffic is enough. However, why is there excessive traffic consumption? The reason may be as follows:

  1. The website has MP3 or video files crawled by some search engines. Thus, when someone else is playing the music on other websites, they will consume traffic on your host, because these files are stored on your virtual host.
  2. The website was injected with a lot of spam, leading to exceeding database usage, thus slowing website access and increasing traffic consumption.

The solution to the first issue is to delete the included files directly. Obviously, this is not a permanent solution. A thorough approach would be renaming the audio file first, and then adding a phrase in the robots.txt to prevent the search engine from including this link. This way, there will be less to worry about.

There are many reasons for the second phenomenon. For example, the membership system, comment system, and message system of DEDECMS websites are prone to spam if there are no preventive measures applied. The preventive measures are as follows:

  1. Forbid member registration. In the System Basic Parameters - Member Settings, disable membership registration.
  2. Forbid posting comments. In the System Basic Parameters - Interactive Settings, disable the comments.
  3. Add the verification code feature to the message board.
  4. Delete information of junk members in batch (SQL statement).
  5. Delete comments in batch (SQL statement).
  6. Delete messages in batch (SQL statement).
  7. Clean up the junk cache in the "cache member" directory on the FTP.
  8. Back up the website after cleanup, for later use.

Part 3: Trojan attacks

It is a big headache for the administrator if a Trojan infects a website. If an enterprise website has suffered such an attack, the general phenomenon is:

A Trojan infects the home page, such as an extra link added to the bottom or on the top, with the contents being about firearms and ammunition, pornography, gambling or drug abuse in many cases. The whole website is infected with Trojans, either at the same location or different locations on every page. In addition to the website front-end, the Trojans may also infect the website backend. When the website administrator logs on to the website, he or she will find the logon interface garbled, or the management interface completely different.

Cause of enterprise websites being infected with Trojans:

To solve the Trojan issue completely, let us first look at the Trojan. The so-called Trojan means that the hackers obtained the website administrator account through various means, and then logged on to the backend of the website to add malicious redirection code to the pages. They may also obtain the server or website FTP login information if the FTP password is easy to crack, and then directly make changes to the website pages. When a user accesses a page already infected with malicious code, he or she will automatically access the redirected URL or download the Trojan virus.

Countermeasures for enterprise websites infected with Trojan:

If we find that a Trojan has already infected a website, there are generally two solutions: first, find the root cause and eradicate it. This solution is difficult to carry out as it is challenging to locate the root cause immediately. Therefore, for most cases, we start with the second solution. For example, to delete the malicious code on the Trojan-infected page, we can start from the home page. It is easy to handle if the infection is only on the home page. The hard nut is the case where the infection is both on the front-end and backend of the website, or even worse, the malicious code has destroyed the original application, resulting in irreversible changes. In such cases, you must recover from the backup files. If many Trojans have infected the database as well, you must consider restoring the database to the original state.

The robust cure should start from plugging up the loopholes. Refer to the countermeasures in Part 1: Soaring resource usage.

Prevent Trojan infection:

To prevent Trojan infection, you must practice these measures:

  1. Regularly back up the website
  2. Regularly observe website anomalies
  3. Regularly change the password (FTP password, website administrator password, and remote login password to the server)
  4. Install patches for Windows servers on a regular basis


To sum it up, an enterprise's website is its face in front of the world and depicts not only the information that it portrays to the external world, but also the culture it follows, internally. The carelessness of an enterprise towards its website gives insights about the enterprise itself, leaving a bad impression on the user.

Often, individuals are responsible for maintaining the websites of various small and medium enterprises, where no one is accountable if the website fails, which is very unfortunate. If the website experiences improper utilization and lacks effective management, money invested in building the website also goes to waste.


在应用中,有时会遇到用户询问如何使单台云服务器具备多个公网IP的问题。 具体如何操作呢,有了NAT网关这个也不是难题。
25920 0
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
7238 0
2503 0
9501 0
阿里云服务器初级使用者可能面临的问题之一. 使用tomcat或者其他服务器软件设置端口号后,比如 一些不是默认的, mysql的 3306, mssql的1433,有时候打不开网页, 原因是没有在ecs安全组去设置这个端口号. 解决: 点击ecs下网络和安全下的安全组 在弹出的安全组中,如果没有就新建安全组,然后点击配置规则 最后如上图点击添加...或快速创建.   have fun!  将编程看作是一门艺术,而不单单是个技术。
8920 0
11017 0
windows server 2008阿里云ECS服务器安全设置
最近我们Sinesafe安全公司在为客户使用阿里云ecs服务器做安全的过程中,发现服务器基础安全性都没有做。为了为站长们提供更加有效的安全基础解决方案,我们Sinesafe将对阿里云服务器win2008 系统进行基础安全部署实战过程! 比较重要的几部分 1.
8120 0
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
6013 0
购买阿里云ECS云服务器后如何登录?场景不同,云吞铺子总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系统盘、创建快照、配置安全组等操作如何登录ECS云服务器控制台? 1、先登录到阿里云ECS服务器控制台 2、点击顶部的“控制台” 3、通过左侧栏,切换到“云服务器ECS”即可,如下图所示 通过ECS控制台的远程连接来登录到云服务器 阿里云ECS云服务器自带远程连接功能,使用该功能可以登录到云服务器,简单且方便,如下图:点击“远程连接”,第一次连接会自动生成6位数字密码,输入密码即可登录到云服务器上。
20957 0