Ultimate anti-Black manual for miraculous SF of CT Edition

Source: Chongqing network security alliance

CT has been hacked twice a month. Depressed, after two robberies, I was finally taken to think of a more appropriate anti-black solution. I have always liked diving. Now I have come up with a good solution... It's a cainiao. For more information, see ..

Let's talk about my experiences of being hacked.
For the first time, the CT version uses Lanzhou people, GS, and DLL adopt the kernel RSCT version, which is open for about 20 days. The password of the server's Senior Administrator is changed, and disk D is used, all files on the edisk are deleted (only empty folders are left, which are occupied by the system and cannot be deleted). The server uses the NTFS partition, the black ice firewall, and the PL website system.
For the second time, the server was hacked, and the other server was also hacked.

First, bs ct people here, CT is also for people to work (hey, it's strange why I know ?) I despise you very much (why use "you "? Haha, there are a lot of CT organizations, not to mention it), learn the following MG. Even if MG programs are leaked, MG is not as shameless as you are (what? How cheap is it? Then use the downstream ...). The commercial version of the program is about technology. Let's learn about MG, and the server side will not put backdoors, And the hacker will also be excellent.
At the same time, I sympathize with those friends who are forced to buy CT server programs. What? Aren't you forced? On the other hand, I wonder why you bought a program to avoid database clearance. The truth is the same. It is still forced by CT's indecent means! And most importantly, all commercial users of CT update several files every month (I think CT commercial users are the clearest !), For the time being, do not mention the addition of features, but the backdoor is constantly updated! (I used to play SF in a CT commercial user's game, but I encountered a problem where players changed to GM! The reason is not updated.) Therefore, CT users should keep your eyes lit up, do not go out for a tour, do not go out for a business trip, and pay attention to your programs at any time .. I am confused about database clearance when I did not receive the message! Moreover, CT programs are the least valuable currently on the market. Can they be updated in the future (MG will update new skills anyway .. CT? I don't know. What I know is that your boss is not in the group every day ~ Sorry for a 8000 yuan purchase of unserved items ..)

Crowd cloud: There are so many nonsense, there is a way to say it quickly ..

Security Settings

SQL
Assign proper permissions, whether for online game servers or WEB servers.
A, SQL
Do not use SA to operate the MUONLINE database! The procedure is as follows:
1. Create an SQL user (cannot exceed 7 English characters. Why? I will tell you later ). Remove the db_owner check box of the muonline table. Public
2. Open the permission window. Tick select input update dri of all tables. (If no payment information is provided by DRI, you can also select dri check. Check the account table and the payment option. However, this is not a threat, but you can query another table while querying one table.
3. Do not select delete. Or press delete to X. All exec operations in the stored procedure are checked.
4. A new account is used to specify that the account can only access the databases MUONLINE and RANKING.
5. The server program modifies DATASERVER. EXE (two) JOINSERVER. exe exdb. EXE, open it with UE, search for muadmin (lower case by default) DS, there is only one in EX, there are multiple JS, pay attention to modify. The new user name must be within 7 English characters when you modify the name! (The file is encrypted and kept in length). If the new user name is less than 7 characters, use 00 in UE. Note that it must be 00. It cannot be 20 or a space character!
6. Modify the data source ODBC, select "SQL Verification" for all access roles in the data source, and enter the new user name and password.
7. Modify mygsfun. ini and other SQL passwords.
8. Start the program and check the settings.
Suddenly, SQL Security completes the first step. Continue .....
Now we start to do basic SQL security...
1. Open SQL Enterprise Manager, right-click the server (generally LOCAL or IP) IN THE SQLERVER group, select properties, and select connection, then, remove the check box "allow other SQLSERVER to remotely connect to SQLSERVER" to disable remote connection to your SQL Server.
2. Open the server network tool (in SQL) and click TCP/IP in the Enable protocol. In the Properties dialog box, change the default port, click "Hide server" to hide your SQL instance.
4. Delete unnecessary dangerous stored procedures and execute them in the query analyzer.
Use master
Exec sp_dropextendedproc xp_cmdshell
Execute the same statement and replace the XP_CMDSHELL in ""
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues Xp_regread Xp_regremovemultistring Xp_regwrite
The last time the CT was using mongoshell, the above are all able to read the administrator password through the registry, I was changed by the black administrator password, so it is also possible to use CT with other stored procedures .. haha.
Finally, you must delete the xplog70.dll file. The file is located in the SQL directory binn. Otherwise, it can be recovered.
Note that you must delete the stored procedure first and then delete xplong70.dll in sequence. Otherwise, an error occurs (the instance attributes cannot be viewed, etc ).... it doesn't matter if an error occurs. Ask a friend or another machine to COPY it and put it in the binn directory!
PS, No matter what website system is used, it is best to disable the function of uploading images and so on!

WINDOWS
The system will not repeat it. Below are some basic points:
1. Do not use administrator as the super administrator name. Change the administrator name as required.
2. disable unnecessary ports. There are two methods: Security Policy and TCP/IP Port filtering. we recommend that you use security policies for greater flexibility. most firewalls support personalized rules. You can set some ports to close by yourself. (Note that port 1434 is also disabled using UDP. This is also SQL .)
3. Use a strong password.
4. Other Security Policy records, such as those review records, may not be opened, but it is best to open them. You can check if someone tries to log on to your system and so on .... (However, if CT gives you a hard disk, it is useless to keep the log) but the password security policy must be enabled to specify the number and time of account locks to prevent brute-force cracking.
5. Disable FSO and run RegSvr32/u C: WINNTSYSTEM32scrrun. dll in the running state in 2000.
6. Close unnecessary accounts.
7. Rename all the CMD. exe net. EXE files in the system (NET also has a name named NET1.EXE which is used by the system.
8. PCANYWHERE is recommended for remote control. do not use 3389. the PCA login password should be as complex as possible, and should not be the same as the WINDOWS Password. if it is the same, there is no need to use PCA. It is better to use 3389.
9. Under the permission settings for the directory where the website is located, the administrator is completely system full user
10, if the server installed SERV-U, be sure to get rid of the SERV-U information, is feedback to the user, so when the other side of the black you, you will not know what FTP service system you are using.
11. I used black ice in the firewall. Why? (although I have fixed a vulnerability in black ice in, I have fixed it now). Black ice can set a baseline Program (what is a baseline? I have not learned well yet .. several times to lock yourself out, proficient big guys can study) baseline is mainly to authorize the program to run. unauthorized programs, that is, using the administrator to log on, cannot be run (of course .. if you log on to the Active Directory, you can turn it off .), anti-Trojan is easy to use. in addition, black ice can automatically determine the ip address that has been attacked for a long time and block it .. (CROWD cloud: advertising ?..)
12. Firewall special instructions ..... I would like to remind you that Norton, black ice, and wooden star are all very useful .. however. never buy a wooden marker (I bought it, and I regret it. Now I use a single machine ...) if a wooden star conflicts with Norton, you cannot install it after installing Norton. and especially in the 2000 environment. in addition, we also consider soft fire prevention when buying it. After all, soft fire prevention occupies the resources of the local machine. In any case, the large scale cannot be blocked.
There are still a lot of things to set up in, but there are teaching materials... For details, see .......
14. In addition, we recommend that you use users Group members to run the mu server program.
Backup
You must back up several of my backup methods frequently.
1. Use FTP backup
Required software:
Cutftp pro 6.0 or later
WINRAR
Method:
First, set SQL automatic backup (this should be done by everyone.) To set automatic backup in less than 2 hours. (You can set it for different databases, but I am relatively small .)
Create another. 1st file, such as BAK.1ST? No? Pull with text document ~ Enter "D: muonlineSQL //"/"after the backup database folder. You can also add more directories.
Then create a shortcut and enter c: program filesWinRARWinRAR.exe "u-y-ibck d: muonlineSQLackup.rar @ d: muonlineSQLak.1st (the parameter u table shows updating files in the compressed package, -y indicates that all the questions are answered "yes". In this way, the shortcut for automatic compression is completed. run it once.
Now that we have backup and compression, how can we make it automatically? Use scheduled tasks .. the easiest way is to set up a plan so that it will run automatically once every 2 hours and 05 minutes (it is troublesome to set the scheduled task, but the design of windows is more user-friendly, so you can set it after a good look ).
Now the server automatically backs up the database in less than two hours, and the system automatically compresses the database once every two hours (1 GB of SQL files can be compressed to around-MB ). how can I automatically update the client? At this time, the synchronization function of CUTFTP is used.
In CUTFTP, set the site ip address, user name, and password, and then select tool-Folder tool-synchronization. Note that the local and remote settings are the same here, the default option of CUTFTP is "make remote and local". Do not set an error here. otherwise ....... then set the plan. Based on the database size, you can set the automatic download every several hours. then it will be OK when the machine is on ~ By the way, CUTFTP also has automatic renaming, that is, the same file name is automatically renamed to local during the download every time, which can be found in the global settings.
Although such a backup is relatively simple, with the passage of time, the database continues to increase and the time needs to be constantly adjusted, Which is troublesome.

SQL backup method
If you are rich .... if there are two servers, use SQL for dual-Machine backup. however, using dual-host backup is troublesome, and port opening is required. Using CT is more dangerous. I can hardly remember that the database was cleared after opening the SQL port for the test software.
For SQL backup, you can use dual-machine hot backup or