7 Web site security Small knowledge sharing

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

2010, China has 35,000 sites have been tampered with (the site is countless more than the record), the site administrator layer fortification, helpless, there is always a sparse. However, according to the Cask theory, no matter which link appears the short board, to the website all is the latent risk.

The Art of War Cloud: "The enemy, win." In order to better prevent the Web site is hacked, webmasters need to understand the hacker's attack process.

One: injection of the classic manual detection method

Before the hacker attacks the website, first is uses the X-scan to carry on the target "the casing" spying, scans the target to open which can use the port, whether has the FTP weak/empty password. If you get "123456" "654321" "abc123" such a simple password, administrator, 3389-port account number, hackers can be "for", so administrators must set as much as possible complex password, close unnecessary ports.

Two: injection type, smart exploratory invasion

This method is mainly for PHP, ASP and JSP and other dynamic language building site, to ASP site for example, open an ASP site, the structure of the Web page is generally: domain name/***?accou=co&id=93, "id=93" means the user to the server to query the contents of the 93rd record.

How to manually determine whether there are loopholes in the site? The first hacker will add "and 1=1" after "Domain name/***?accou=co&id=93", because "1=1" is always set up, so after adding, enter the page returned by the site and the original is exactly the same. Then in "Domain/***?accou=co&id=93" add "and 1=2", "1=2" is not established, so return is a wrong result. In both of these steps, if the returned results are the same as described, the site has a vulnerability.

Through the above methods, the webmaster can make a simple test to the website, see if there is a loophole (of course, there are many tools to replace our manual operation).

Three: MD5 encryption

Hackers get the password is through MD5 encryption, now there are many sites to provide MD5 password cracking services, generally are charged. Stationmaster after setting password, can pass MD5 encrypt, go to these MD5 decrypt a website to test, if can't crack, explain this is a relatively safe password, otherwise change a password.

Four: Attention to detail, website security precautions

1: Pay attention to system leakage, website template loophole, Web site program loophole

2: Less use of Third-party plug-ins

3: Firewall, anti-virus software can not be less than one

4: Use strong password (MD5 test pass)

5: Do not disclose the site's template, the site's procedures, as well as personal information (many of the bottom of the site will be left with the site's production program, the site template, hackers will be through powerd by and other statements to find a specific program of the site)

6: Do not and admin and other common user name password, many webmaster like to use the default username. These user names can easily be disassembled, so be sure not to use the default username, and do not use the domain name associated with the username password.

7: Try to black your website

Written in the end, "No one would like an unsafe website, resisting must be in first."