Security | Security I made a website www.zydn.net, is a personal homepage, although not in the name of the individual, but it is really only me to do this thing, I stand a set of backend system, with ASP, the host with the million net, but yesterday I surf the internet, found that my investigation was changed, I thought I had typed it wrong. Quickly changed back, but after a while it was changed, but also changed more severe: The survey is, asked me to write a software is useful, I prepared the answer is:
Useful, helpful, completely useless,
He changed it for me: it's useless, what's the help? Totally useless.
Also, I have a caption, said that my software is good, I own of course say oneself good, he actually gave me to make
It's a bunch of weeds, but there's a lot of weed on the net, and some personal attacks.!!!
Also changed some of my column name, I am very angry.
Because my website uses the backstage system to control, therefore I guessed that he has entered the backstage.
I put a backstage demo program in a subdirectory of the station, and the ASP page verification is a legitimate user is to determine whether the session of the password is null to achieve, so as long as the advanced subdirectory into the background of the demo, and then enter the background of the site file name may enter, So I deleted all the demo, but I found out that he was still doing the damage!!
I have heard of the use of special code to do the password, but I did not try, also did not care, but did not want to go into other people's backstage, I think he is not using this method? So overnight change procedures, I think he will come again, put a detection of IP program, and check the content of his program, the results found that he was in the password entered an ' or ' = ' into my website, I also tried a, sure enough,
So immediately started, so that every page test please password to be compared with the library password, finally, he did not come in the!!! Also perfected the record log, noted the "attack" type, time, IP, input characters, administrator into the time, IP and so on. In my log, I left that friend's exploits, and he tried to get into my station with ' or ' = with ' or ' for nearly one hours.
But the general library is too slow, so I saved the password in the library to a file name is very strange, the extension of ASP files, the contents of the file is: <% mimaint=*****%> inserted into the ASP page, so it seems to be faster. And I looked at the special statements they entered, unexpectedly have to use SQL statement to delete my record, although this statement did not succeed, but I still afraid that the master made a success, so simply add a statement, found that there are single quotes, all think is illegal password. I also want to see whether it is always the same person, so give each one to lose the password, or know my background file name to try to enter the browser has stored a cookie, numbered. Ha ha.. Later I read it all interesting, well, I can do it, I know, for a real master, this is only a paper-wrapped fire, but less can make my program a little safer. If someone attacks the server, get my source code, it must be all empty words, Oh... I'm not afraid, I just find million net accounts .... Return me thousands of oceans to!!!. )
Also hope high finger teach, at the same time thank those several "hacker" I in their help to learn a lot of things, but we must not go to change my station AH ... Enter the backstage please send me an email how? Ayu, thank you first.
Finally, we also have to do a publicity, please visit my station a lot, this is an introduction to computer technology-oriented website, this site is the most important is to provide a set I think you can also the site backstage, (this procedure is the biggest advantage is the Internet to copy articles Express, hands and feet faster, an hour to do one hundred or two hundred pieces of no problem) The database has access and SQL Server two, in addition to my study from the ASP wrote some of the small dongdong, such as forums, messages, surveys, supermarkets, Ayu in http://www.zydn.net welcome everyone
I'll make some notes on this system:
Database: There are SQL and access two versions (in fact, a statement of the connection library is not the same), the demo is using Access, because I do not have the space to use SQL.
Maximum Column series: 11 level.
Minimum column series: Level 1
Maximum news per level: Unlimited
Maximum User rating: Level 9
Minimum user rating: Level 1
Maximum number of columns per column: No Limit (cannot have duplicate names)
Minimum number of sub columns per column: none
Demo in www.Zydn.net/
Please give your friends a lot of criticism and advice
