A hacker said to mainstream foreign trade B2C website Systems (I)

Many people yearn for and fear hackers, especially personal webmasters. In fact, fear is superfluous. Most hackers have principles (those without principles cannot take your website .), Value is also their value.
 
I would like to introduce myself as a project Manager of a Canadian Promo enterprise, 25, two months ago. after New Year's Day, I resigned and started to work as a foreign trade B2C company. In my spare time, I like to visit hacker forums, it is also a prank to occasionally seek out a group of friends against foreigners ..
 
To put it simply, there are currently three types of domestic hackers:
 
1. tool hackers are hackers who steal QQ accounts and game accounts, download a few horses online, set them up in the following steps, or type several machines in the Internet cafe, and then use a hacker tool to capture chickens, even the most basic brute-force cracking is difficult. These people do not even know how to intrude into the Website...
 
2. entry hacker, in addition to skilled use of some basic tools, such as ah d injection, veterans, famous boys, IE browser packet capture, MD5 guess Code, also understand some linux. net server knowledge, and began to conduct in-depth analysis and research on Fluxay vulnerabilities, Google hacking solutions, these people are more than enough for General website system intrusion, more dangerous...
 
2.1 ----- No, I am here ----
 
3. advanced hackers, self-made hacker tools, unknown technology, and software and hardware (these people usually have access to computers from an early age and are low-key. In reality, they may be a small employee of a state-owned enterprise, A friend of mine is like this)
 
OK. Go back to the question !!
 
Currently, B2C Foreign Trade websites are dominated by three systems: Oscommerce, ZenCart, and Magento.
Ps. like online fun, ecshop, xpshop, and ** technology companies developed in China, ASP sites should not be taken up (for B2C, use PHP whenever possible,...). Really, for many sites, I don't need to take one for half an hour to scan for many injection vulnerabilities.
 
Let's start with the most popular Zen cart to talk about things. I am used to describing the essence in the form of CASE. However, many of the ideas about vulnerabilities are open and easy to exploit, black links, images, customer data packaging, hidden payment and redirection, ah... I don't belong to the kind of people who can talk about it. If you can't say it well, please try again...
 
In fact, there are three things: the path, the permissions of important folders, and the simple password ,,,,
 
CASE I
 
On the surface, many Putian companies are engaged in SEO website building services. In fact, all the companies that make money are relying on Imitation sites. Some companies may flow out or sell some Zen cart templates. I have bought a set of boards, read admin \ mongodes \ configure. when I tried the php file, I tried the SQL address left by it. It actually exists, and the password was changed, however, I have left a lot of password fragments (I won't talk about how to get these segments). I cracked them with MD5 and tried them one by one to access its SQL statements. The consequences are very serious, but I didn't do anything bad, only a few sets are downloaded .. (Don't spray me. This is my reward for telling them about administrator vulnerabilities .)
 
PS. There are several vulnerabilities on the Internet that can read SQL Password information. One of them,/extras/ipn_test_return.php, can return the most direct website configuration information, but it seems that many webmasters do not pay attention to it ..
 
CASE II
 
-/Zc_install: I used to take a foreigner's website intrusion test. After scanning for a long time, I found the vulnerability, but it was difficult to use it. I would like to praise the foreigner's death. htaccess file, haha. Later, I tried to log on to thank god and the same VPS had four sites, so I checked the vulnerabilities one by one. One of the sites randomly changed the path with a weak password. When I typed-/zc_install33, an installation interface appears,
Reinstall the program, overwrite the original zen file, and pass the Pic to pony, take shell, LOL (in fact, there is an episode, re-install-/replicdes/configure. php = limited permissions Unwriteable, of course, it must have been solved by me, hey)
 
There are always vulnerabilities, so there will be no more cases. Please give me some suggestions ,,
 
1. It is best to use anti-virus software to download some templates from the Internet to prevent many unscrupulous writers from leaving a backdoor.
 
2. plug-ins should be installed as few as possible. Even if they are used, they must be downloaded from an authoritative website. In fact, for the foreign trade B2C Site, the basic functions can be implemented. A friend of mine is very ugly, but there are still 20 or 30 tickets for one site every day, but there are no tickets for those who have a whistle
 
3. Check the/images folder frequently to clear all images that cannot be opened (Trojan camouflage)
 
4. htaccess writing is very important (how to write a lot on the internet). If you do this well, 60% of hacker won't work for you ,,
 
5. strictly restrict the permissions of several important files/folders, such as configure. php, images, html_shortdes, and change them back even if they are used.
 
6. At least a VPS site is required. If you build a site in a space, it is a very common method to intrude into the site. Even if you use VPS, you must be careful when establishing each site on the VPS. The "six steps for building a zen cart secure website" is available on the Internet and cannot be omitted in each step.
 
A hacker's remark on attacking and defending the B2C website system of the mainstream foreign trade (ii) has time to go into more details and hope to help everyone. Thank you!

Author xssxss.com