Root Cause Analysis and Countermeasures of Common Issues of Enterprise Websites

If you are responsible for your company's website, and your site rents virtual hosts, this article will definitely be of interest to you.

Let us start with this, have you ever received e-mails such as "notification for high-traffic customers," or "notification for high resource-consuming customers"? Or the site been closed by the access provider, or the website backend management system unable to sign in to? Or it was impossible to upload files in the backend? This article specifically talks about the "Root cause analysis of common issues of enterprise websites (soaring resource usage, high traffic and Trojan infection) and its countermeasures."

To work out a thorough solution to the problem, we must know the cause; to know the cause, we must analyze the problems on the website, which may be as follows:

1. Suspicious files are uploaded to the website
2. Data is injected to the database and there is a lot of spam information in the news and product systems
3. Malicious bumping in the message board, and a lot of spam messages appear.
4. Malicious bumping in the membership system, and a large number of spam members appear.
5. The comments system is compromised, and there are numerous spam comments.
6. Many spam text links or garbled characters appear on the home page, the content pages and even the management backend.
7. You are unable to sign in to backend or cannot publish articles.

Part 1: Soaring resource usage

The cause and countermeasures for 'suspicious files uploaded to the website':

The access provider (such as HiChina) will list the resource-consuming files and present the evidence (you may send an e-mail notification, or you can directly call HiChina for inquiry). You can directly delete those resource-consuming files using FTP. In addition, the evidence will not show all the resource-consuming files, and administrators will need to locate the remaining files on their own. Some files on the website host are necessary, and some are suspicious, which needs investigation, file by file. If one fails to conduct proper cleaning for the suspicious files, it is a possibility that the remaining suspicious files will again consume resources in the near future.

How is a suspicious file uploaded?

Channel 1: Many small (enterprise) websites adopt online available open-source CMS (content management system) as their backend system, such as DEDECMS and numerous other small CMS's. Some website building companies claim to have self-developed CMS, which is in fact just an improvement based on a CMS. These CMS's are open-source and publicly available, making them vulnerable. Hackers take advantage of these vulnerabilities to upload suspicious files to the website hosts.

Channel 2: Often, someone divulges the website FTP password, such as when the company changes the person in charge of its website or the technology of the company website. Or the password is too simple hence easy to crack, or for various other reasons. With the password, hackers can operate the website at will and cause damage.

Channel 3: There is a super administrator (ADMIN) in the backend system of every website, who has the highest privilege to manage the website. If the password leaks or hackers manages to crack it, they can operate the website at will.

Channel 4: A server may carry hundreds or thousands of websites. If someone manages to penetrate or attack a website and successfully uploads a virus or Trojan to the server, it will affect the other websites on the same server.

The above are temporary solutions. What is the permanent cure?

If one fails to clean up all suspicious files, or fails to identify all the root causes, it will not take long for you to receive "resource-consuming files," or "high traffic" notifications. Since your website was once a part of the hackers' "bots" list, hackers will keep patronizing and employ your website every two or three days for a period of maybe as long as one month, or as short as around three days. HiChina, a leading Internet application service provider in China, allows any website up to three attempts to activate itself in a month, failure to which the website has to wait until the next month for activation.

The reasons behind the high resource consumption and high traffic on a website are complicated. People involved should examine the root causes carefully and look for permanent solutions for each of them.

Solution to Channel 1: If the website uses open-source CMS and is not considering changing the CMS in the near future, it should ensure that it installs the latest CMS patches at the earliest opportunity. Post that, the CMS patches should have a periodic manual upgradation schedule set-up and followed. Open-source CMS releases patches from time to time, and you can choose to update the patches either automatically or manually.

Solution to Channel 2 and Channel 3: Change the FTP password once a month, and change the website super administrator password regularly. It is recommended to set the password to more than 8 characters, including a mix of upper-case letters, lower-case letters and numbers. If the website administrator changes, you must consider changing the password as well.

Solution to Channel 4: This one is a challenging one but proves to be more feasible. As a solution, we can back up the website on a regular basis. Once there is a large scope of change to the website, the website can be recovered with the latest backup file.

Part 2: High traffic

First, let us talk about what the traffic is. In addition to different space requirements of webpages, virtual hosts for the website also have a parameter which often goes unnoticed – "traffic". For example, the HiChina M3 host has a webpage space of 1GB with a traffic ceiling of 30 GB per month. HiChina will send you a notification once the monthly traffic exceeds this limit. Now, how do we analyze the traffic?

For example, your website has a video with a size of 30MB. After one netizen watches the video, the consumed traffic will be 30MB. If 1,000 people watch the video within one week, the consumed traffic will be 30GB. A website homepage will usually contain HTML, images, CSS, JS and other files, altogether coming up to a total of between 2MB to 5MB as per estimation. Once a netizen opens the homepage, the browser will download these files from the virtual host of your website to view the homepage normally. In addition to accessing the home page, the netizen will also visit other pages, product images, or videos. With the addition of these resources, a single access to your home page by a netizen will consume between 10MB to 20MB of traffic. Based on estimates, 30GB of traffic can support the visits of 1,000-3,000 visitors within a month, about 100 visitors per day on average. For websites of small enterprises that make little to no website promotion, 30GB of traffic is enough. However, why is there excessive traffic consumption? The reason may be as follows:

1. The website has MP3 or video files crawled by some search engines. Thus, when someone else is playing the music on other websites, they will consume traffic on your host, because these files are stored on your virtual host.
2. The website was injected with a lot of spam, leading to exceeding database usage, thus slowing website access and increasing traffic consumption.

The solution to the first issue is to delete the included files directly. Obviously, this is not a permanent solution. A thorough approach would be renaming the audio file first, and then adding a phrase in the robots.txt to prevent the search engine from including this link. This way, there will be less to worry about.

There are many reasons for the second phenomenon. For example, the membership system, comment system, and message system of DEDECMS websites are prone to spam if there are no preventive measures applied. The preventive measures are as follows:

1. Forbid member registration. In the System Basic Parameters - Member Settings, disable membership registration.
2. Forbid posting comments. In the System Basic Parameters - Interactive Settings, disable the comments.
3. Add the verification code feature to the message board.
4. Delete information of junk members in batch (SQL statement).
5. Delete comments in batch (SQL statement).
6. Delete messages in batch (SQL statement).
7. Clean up the junk cache in the "cache member" directory on the FTP.
8. Back up the website after cleanup, for later use.

Part 3: Trojan attacks

It is a big headache for the administrator if a Trojan infects a website. If an enterprise website has suffered such an attack, the general phenomenon is:

A Trojan infects the home page, such as an extra link added to the bottom or on the top, with the contents being about firearms and ammunition, pornography, gambling or drug abuse in many cases. The whole website is infected with Trojans, either at the same location or different locations on every page. In addition to the website front-end, the Trojans may also infect the website backend. When the website administrator logs on to the website, he or she will find the logon interface garbled, or the management interface completely different.

Cause of enterprise websites being infected with Trojans:

To solve the Trojan issue completely, let us first look at the Trojan. The so-called Trojan means that the hackers obtained the website administrator account through various means, and then logged on to the backend of the website to add malicious redirection code to the pages. They may also obtain the server or website FTP login information if the FTP password is easy to crack, and then directly make changes to the website pages. When a user accesses a page already infected with malicious code, he or she will automatically access the redirected URL or download the Trojan virus.

Countermeasures for enterprise websites infected with Trojan:

If we find that a Trojan has already infected a website, there are generally two solutions: first, find the root cause and eradicate it. This solution is difficult to carry out as it is challenging to locate the root cause immediately. Therefore, for most cases, we start with the second solution. For example, to delete the malicious code on the Trojan-infected page, we can start from the home page. It is easy to handle if the infection is only on the home page. The hard nut is the case where the infection is both on the front-end and backend of the website, or even worse, the malicious code has destroyed the original application, resulting in irreversible changes. In such cases, you must recover from the backup files. If many Trojans have infected the database as well, you must consider restoring the database to the original state.

The robust cure should start from plugging up the loopholes. Refer to the countermeasures in Part 1: Soaring resource usage.

Prevent Trojan infection:

To prevent Trojan infection, you must practice these measures:

1. Regularly back up the website
2. Regularly observe website anomalies
3. Regularly change the password (FTP password, website administrator password, and remote login password to the server)
4. Install patches for Windows servers on a regular basis

Summary

To sum it up, an enterprise's website is its face in front of the world and depicts not only the information that it portrays to the external world, but also the culture it follows, internally. The carelessness of an enterprise towards its website gives insights about the enterprise itself, leaving a bad impression on the user.

Often, individuals are responsible for maintaining the websites of various small and medium enterprises, where no one is accountable if the website fails, which is very unfortunate. If the website experiences improper utilization and lacks effective management, money invested in building the website also goes to waste.