Do not change a blog

Source: Internet
Author: User
Tags administrator password

Blog, originally used by netizens to express their voices, record their experiences and places of life. However, in this surging age, blog has become a battlefield for rivers and lakes.

 

Hatred sprout here, blood boil here, and even war erupt here.

 

Today, I went diving to my half bottle of vinegar blog and wanted to see if his flash version of Jin Yong 4 had any news (I admit, I want to get the Jin Yong character material in it ), I suddenly found that a blog with a more than 4 million access volume is finished.

 

 

Excerpt a half-bottle of vinegar and an attack by intruders ......

 

 

I dive into the luozhuang blog on csdn and want to see if there is any new galgame information. However, I found that his blog with a traffic volume of more than 1 million has also been cracked ......

 

 

According to luozhuang, the password and email address are stolen. It is likely that the password of csdn is changed by a legitimate means after the mailbox is obtained in some way. (PS: You can request the csdn Management Group to handle this problem. In general, csdn is quite responsible .)

 

 

Then the hacker made an objection on luozhuang's blog. He "himself" joined himself ...... |

 

 

From the perspective of the author, such a method that directly damages the other party's blog to retaliate, no matter what the original cause is, it is also very arrogant and brutal.

 

The so-called "bad luck, full profit, disaster recovery", "virtual self-defeating into the foundation of morality", non-violent things, it is best to solve non-violent, no matter whether it is right or wrong, something to say, rational reasoning, if they are not black, do not fight or fight.

 

If it is involved, we should be "only real, seeking for live, and still simple". Do not take the network's grievances too seriously. After all, the online services are good, and the benefits are even greater, it's also true that "life does not bring, death does not bring", why do you make yourself and be confused for some small things, even if you are really confused, I want to cover haonan and pheasant without looking at the cool ......

 

In this technology industry, there are actually a lot of things to do on the Internet. If you feel that your technology is not good, you can go to sites such as the easy language forum to find confidence (however, the easy forum has gradually been overhead, on the surface, I am actually playing C/C ++ and assembly ......); If you feel that your technology is too good, you can go to the site such as the snow forum to find a sense of frustration.
It is too boring. You can go to the gameres VB area to flip the stream of the instructors, Miu. C, and instemast. You can feed your eyes to the right, and steal food from the middle. In short, there are many things to play with. Why should we be a hacker? When hackers do not get any real benefits, they should not, so they should go to the big ones ......

 
After talking nonsense, in the spirit of "saving lives and Saving Lives", I would like to list several methods that may allow hackers to obtain the permissions of blog or Email users for reference only.

1. brute force cracking:
Compared with online banking systems, most blog systems do not have good self-protection capabilities (for example, you can log on multiple times and Set permissions randomly ), therefore, as long as someone knows your user account, then write an OCR recognition program to pass the verification code and traverse the password to try to log on, you will not be far from death.
When the network speed is fast enough, brute-force cracking of blogs and email accounts is no different from brute-force cracking of local programs. As long as you do not change your account, the other party will always work out the correct password one day.
To solve this problem, the first premise is not to disclose your account, and in case the account cannot be changed after it is known by others, you can only change the password and try to lengthen the password as much as possible, use special characters for obfuscation. If you have a 32-bit or more mixed password and can change it once every week, unless the other party is the supercomputer owner, or, to deal with the fact that you have created a considerable number of Computer Clusters (such as controlling a bunch of bots), brute-force cracking is almost impossible.

2. Cookie spoofing:
As we all know, cookies are data stored on the user's local terminal to identify the user's identity. In general, we can retain some basic user information or access data in cookies to avoid repeated operations when users access the site again and improve the user experience.
However, there are both advantages and disadvantages, and cookies are no exception.
In some websites with low security factors, cookies are often abused, and even cookie data is used directly to check user permissions. This is the most serious problem. You need to know that 100% of the data in cookies can be forged. Once the bloggers and email system builders make their brains, for example, the website has a tragic status in cookies to verify the permissions, and the other party forged the status = admin ...... No one is dead in this world ......
In addition, even if there are no "brain-damaged" errors, cookies will retain more or less confidential user data, as long as the other party finds a way to intercept your cookies file itself, it can be easily simulated and reproduced ".
To solve this problem, you can only modify the website's "Brainless" code settings, reduce unnecessary cookies, and promptly clear your cookies. If you are using a third-party website as a blog or email address, you have to contact the website administrator or simply give up the website and migrate it.

3. SQL injection:
Since I first came into contact with SQL, I have been repeatedly told about the serious consequences of SQL injection. This is the least-but most-prone security vulnerability. All database systems and websites in the world that support SQL commands may be attacked by SQL statements.
For example, the SQL query code for Logon verification of a website is string SQL = "select * from users where (name = '" + username + "') and (PW = '"+ password +"'); ", when someone maliciously enters username =" 'or '1' = '1 "in the logon box "; and Password = "'or '1' = '1, will cause the original SQL string to be filled with string SQL = "select * from users where (name ='' or '1' = '1 ') and (PW = ''or '1' = '1');", that is, the user and password exist no matter how the running result is, if you do not have a password, you can log on to the website as usual.
The example above is the lightest and easiest to prevent. In fact, there are more than N such measures.
If the website has a flaw in the SQL statement code, the minor user is damaged, and the blog and email are stolen. If the severe user is serious, the other user will obtain higher permissions, such as querying the data table structure, query the website administrator password, publish information, delete data, clear data, format the hard disk (for example, execute xp_cmdshell "format C:/" in sqlserver :/"), I even want to give you a question about "not conducive to stability", so that you can complete the whole website together.
In addition, even if your system is not affected by SQL injection, related abnormal pages are displayed (such as exposing the database, related table names, page locations, and so on ), it is also likely to be used by attackers to launch the next in-depth attack.
To solve these problems, you must strictly control the code quality and never expose exceptions. If you find this problem when using the blogs and mailboxes provided by various portals, you can tell them that it is usually the best solution-even if you don't care about it, they are also terrible ......

4. XSS:
XSS has become popular in recent years. It is similar to SQL injection. XSS is called Cross Site Script to distinguish it from CSS (Cascading Style Sheets. XSS malicious attackers often Insert special HTML code into web pages. When a user browses this page, the HTML code embedded in the Web is executed to launch injection attacks. For example, a user can create a webpage and use JavaScript to discard document. Cookie as a parameter. Then, record it, and then play cookies to cheat ......
Common XSS attacks include Cookie Stealing, guiding users to run special pages, using IFRAME or frame to access management pages or background pages, and using XMLHttpRequest to access management pages or background pages. When XSS is used in combination with other attack methods, the damage will be even greater.
Similar to SQL injection, the prevention method strictly disables HTML and JavaScript syntax, so that attackers can exploit the vulnerability. However, in some cases, it is really difficult to prevent the so-called high-foot magic ......

5. Trojan seeding:
There is nothing to say. Once your computer or the server in your portal or mailbox is implanted with a Trojan and you get the relevant permissions, before you clear the trojan, in addition to waiting for death or migration, you can no longer find the second path.
The specific recruitment process is ever-changing. Maybe you have downloaded a game or opened a document. Maybe you have browsed a website or chatted with someone on QQ, it may even be because you have browsed an image. Another point is hard to prevent. About 10% of International Trojans are open-source ......
Solution: Improve Personal literacy and stay away from bad information ||, to ensure server security and timely detection and removal of Trojans.

6. Website moles:
It is all about it. If you do not discuss it or explain it, you can only report it to the higher-level website or move the website. Otherwise, the problem will never be solved.

When there are people, there are rivers and lakes. If there are rivers and lakes, there will be resentment. However, resentment is a real thing. It is better not to bring it into the virtual world of the Internet.

Writing it here reminds me of Luo Wen's "Take my path" and uses it as the final conclusion!

No regrets, no regrets.
Endless roads
In the storm, you chase me
Who is the end of this grievance?

When will the world change to the rivers and lakes?
Each step is surging
When is it better to shed tears?
Everyone also claims to be a hero.

What is black/white
Who can turn back?
What are you afraid?
Keep the flowers and snow in your heart

No regrets, no regrets.
Endless roads
People are at ease in the rivers and lakes
Because I don't care

No regrets, no regrets.
Endless roads
In the storm, you chase me
Who is the end of this grievance?



 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.