Analysis of the causes of Web server being hacked by black

Source: Internet
Author: User

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Many users have encountered such embarrassing things, because the server security vulnerabilities, resulting in the loss of data, permissions are illegally obtained. Servers are primarily those Web servers, data servers, DNS servers, and mail servers that hold Web sites. Now the main reason why the Web server is hanging horse and black reasons and solutions.

The first can be roughly divided into the server itself and the site itself two aspects.

The server aspect is as follows:

1 SQL database Injection vulnerability.

This vulnerability is more common, such as asp+access injection, asp+mssql injection. Aspx+mssql injection and so on.

The injection vulnerability is to execute arbitrary SQL statements using statements such as Select From,update, using the ASP program to connect to the database without filtering. But this vulnerability can only be queried if it is used on access. Access is the encapsulated database. But SQL is different. MSSQL exploited a lot of vulnerabilities, such as bad permissions, you can expand through the SQL and weak permissions, column directory, differential backup log files, cross-Library query, cmd command line execution. MSSQL EXEC commands. A related way to prevent this vulnerability is to disable the use of any character modified after the Get argument. For example, "and 1=1" and so on. There are many anti-injection programs on the network. Also notice a few obscure injection signatures. "","%"。 % accurate. It is the character that passes the transcoding. Many kinds of encodings can be converted. such as HTML encoding. Winhex. can interfere with many of the anti-injection files. Microsoft's MSSQL is built on the Windows platform. He has two ways to authenticate users, one for MSSQL users and one for Windows authentication. So the jitters are all right here. If an attacker gets system privileges. Then he can modify the admin password. Then, using the Administrator password, log on to native MSSQL with Windows authentication, you can consult any data of the corresponding database. and modify, delete. You can also establish a SQL account for System Admin permissions. General solution here. Network management in the establishment of MSSQL Admin account, do not be sure to use the default mode of landing. MSSQL If you are logged in with the default mode, you can use Windows user authentication. So you can only use the MSSQL account. Delete xp_cmdshell, etc. Set permissions on each disk. The MSSQL direct access disk Fugen directory is not allowed. The Web directory name is as complex as possible. Don't use Vhost,wwwroot. Here you can guard against the basic attacker's list of directories. It's best to do database separation. Teach you a more abnormal method of database separation. Install a virtual machine on the server. VIASULPC also can. Just install a Windows2003, if you need it. You can rent a server yourself. Then you use the shared mode to surf the Internet, share with the virtual machine, and put the database in the virtual machine. Then the database is in the intranet. Actually the same as the native. Now the database has been telnet out of the net 1433. Even if someone else gets the database server, it's no use. A few days ago, in CK space, I saw an interesting thing that he came across when he invaded. Database separation. The black and polite to die. In the Inetpub directory wrote a curse the administrator of the ASP file. If you are using the whole station system. Please update your attention to official vulnerabilities and patch announcements in a timely manner.

2 system vulnerabilities

Q: If my program and component related security are done. So is my server safe?

A: The WindowsServer family Server version provided by Microsoft is convenient and fast, but there are still some security risks. This has nothing to do with the procedure. is a flaw in the system itself. In general, an attacker obtains Cmdshell or system privileges directly through a buffer overflow vulnerability. For example, IIS Write permission vulnerability, you can access IIS anonymously, and write ASP Trojan, get Webshell. For example, WebDAV overflow, first use the NC listening to the local port. To overflow the port. Get a Cmdshell. The remote control permissions are then obtained through the admin command. These vulnerabilities cannot be repaired until the authorities provide a solution. If it is a Linux system, open the source code. You can change it yourself. But Microsoft did not release the source. So keep an eye on Microsoft's official announcements. Companies with conditions and needs can contact Microsoft and apply for a Datacenter Server system. This system is not issued in the market, is Microsoft's tailor-made for customer needs a set of systems. The price is expensive. Gift Liense. But the security is very high. But it's a little difficult to apply. Because datacenter all major enterprises are not adopted. It's because of its price. Information about Microsoft's series of broadcasts and information can be seen. Thank CLOUDX here for your help. He helped me a lot when I was learning MCSE. Or did he want me to watch the radio on Ms. Network administrators can keep an eye on the patches released by Ms. If you want to study the system vulnerabilities of friends. Can go to the security focus or the leader of the 0DAY publishing site at any time to pay attention to the release of the vulnerability utility. Then focus on MS's announcement. It is very helpful to study.

3 Password

About password setup issues. This is also very easy to get permission. These are human loopholes. For example, employees of a company, to make it easier to remember passwords. The password will be set to the birthday, mobile phone number, name of the pinyin and so on. We recommend that you set the password to a complex point. Especially the password for the server. For example, database and system passwords. The web password should also be set properly. Case + symbol. The length is about 10-15 bits. Change the password regularly. So the attacker is cracking your password. Haven't cracked it yet, you've changed the code again. About the password issue. Never set to a pure number. If it is pure lowercase. You can set the number of 2 or 3 good points at the end of the password. The length is preferably 12-17 bits. I will not say this thing. Be sure to rename or deactivate the system administrator. Guest inactive. Then change the name. Account policies should be set up as well.

4 Components and Permissions

The attacker now has a system account. You don't have to be afraid he'll change your settings within the IIS component. You can set a password for the Inter Information Service. And then put the system *. MSC is copied to a folder you specify. And then set the encryption. Then only allow your account to be used. Then hide. Then the attacker will not be able to change any of your components. You cannot view and add deletions. Wscript. Shell deletion. Net. EXE delete. Cmd. EXE to set the right permissions. All directories must have permissions set. If not required. In addition to the Web directory. All other catalogs. Disable access for IIS group users. Only Administrators groups are allowed to access and modify. Also a set of abnormal permissions. I have already mentioned the access rights of the MSC file. You can set admin,admin1,admin2......,admin only give permission to modify, admin1 only give read and run permissions, admin2 only give permissions to list folders and directories, admin3 only give write permission, ADMIN4 only give Read permission. Each account then allocates quotas as needed. In that case. Even if there is a VBS script. NET was deleted. EXE, the other side also can not afford to claim. If the user is not running permissions accidentally started the attacker's Trojan horse. Then there is no permission to run and modify. Windows provides screen saver features. It is recommended that you also install a third-party-provided screen saver lock. Then your system can be more security. We do not recommend the use of pcanywhere software. Unless your permissions are set through your own tests. Pcanywhere has a file system, if the permissions are not properly assigned, users can use the Pcanywhere file system in the startup item to write a Trojan horse. Then wait for you to log in. There's no need for this. It is advisable to use the default 3389. If the port is changed, others can sweep it out. It's better to use the default. Attackers gain access to your system and log on to 3389. Your second security lock (third party system lock) locked him out of the way. So that people can't get into your system. Remember. Never open permission. Otherwise the consequences would be disastrous. If it is a stand-alone server. When you do not need to use the web, turn off the extra IIS and other services. Lest cause unnecessary loss. Use master optimizer to prohibit access to remote registry those. There is also an IPC null connection.

I'm talking so much about the server side. Here are some reasons to look at the site

1, upload the vulnerability

2, Bauku

3. Inject loophole

4. Side note

Now we have access to some people who are responsible for the site. They have very poor knowledge of safety protection. There are some common problems that are difficult to solve. Like the site was hung horse this situation, their general practice is simply clear off the Trojan horse. A deep back door left behind by the attackers was completely unaware. In this way, there is no fundamental solution to the problem. There are also a number of personal stations from the online free template built up the station, although cheap, but often will be hackers hang horses, it is not clear that the template of the author left a backdoor. There are a number of stations are placed in the rental space inside, the webmaster also thought out of the problem, IDC Chamber of Commerce to solve the problem. I just want to ask what they can solve? It's not their duty. They can do is to provide space, simple maintenance. There is no real solution to the problem.

Forget it. Let me make a comment. How to do security protection. Willing to work with the safety of the site to communicate with the personnel. qq:254770445

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.