Hackers have to check the server security configuration!

Source: Internet
Author: User

Today, we will mainly tell you about reverse observation of server security configurations by hackers. Since our defense is from the perspective of intruders, first, we need to know the actual intrusion method of intruders. The following describes the specific solution and hope it will help you in your future studies.

Currently, the most popular web intrusion methods are to obtain the website's webshell first by looking for program vulnerabilities, and then find the appropriate methods available to escalate permissions based on the server configuration, and then take the server permissions.

Therefore, it is an effective method to prevent webshell from being configured with the server. Reverse observation of server security configurations by hackers reverse observation of server security configurations by hackers [2] since our defense is from the perspective of intruders, first, we need to know the intrusion methods of intruders.

Currently, the most popular web intrusion methods are to obtain the website's webshell first by looking for program vulnerabilities, and then find the appropriate methods available to escalate permissions based on the server configuration, and then take the server permissions. Therefore, it is an effective method to prevent webshell from being configured with the server.


Prevent unauthorized database downloads

It should be said that a network security administrator will change the default database path of the website programs downloaded from the Internet. Of course, some administrators are very careless. They can directly install the program on their own servers, or even delete the instruction files, not to mention changing the database path.

In this way, hackers can download the website Source Code directly from the source code site, and then find the default database in the local test, then, download the database and read the user information and data in it (usually encrypted by MD5). Find the Management Portal and log on to the webshell. Another case is that the path to the website database is exposed due to a program error. How can this problem be prevented? We can add the extended mdb ing of mdb. As shown in:

Open IIS and add an MDB ing so that mdb can be parsed into other files that cannot be downloaded: "IIS properties"-"main directory"-"configuration"-" ing"-"application extension" are added. For mdb file application parsing, you can select the file used to parse it as long as the database file cannot be accessed.

The advantage of doing so is: 1. If the database file in the mdb suffix format cannot be downloaded; 2, it works for all mdb files on the server and is very useful to the VM administrator.

Prevent unauthorized database downloads

If MSSQL databases are used for the above configuration, you can still use the injection tool to guess the database as long as there is an injection point. If there is no authentication for the uploaded file, we can directly upload an asp Trojan to get the webshell of the server.

To deal with the upload, we can conclude that the directory that can be uploaded does not grant the execution permission, and the directory that can be executed does not grant the upload permission. The Web program runs through the IIS user. We only need to grant the IIS user the write permission to a specific upload directory, and then remove the script execution permission of this directory, this prevents intruders from obtaining webshells through upload.

Server security configuration method: first, in the IIS web directory, open the permission tab, read and list the directory permissions for IIS users only, and then enter the directory where the uploaded files are saved and stored in the database, add the write permission to the IIS user, and change "Pure script" to "NONE" in the "properties"-"execution permission" option of the two directories. See


Note that when you set the preceding permissions, you must note that the parent directory inheritance is set. Avoid wasting your time.

MSSQL Injection

For MSSQL database defense, we should first start from the database connection account. Do not use the SA account for the database. Using the SA account to connect to the database is a disaster for the server. Generally, you can use the DB_OWNER permission account to connect to the database. If the database runs normally, use the most secure public account.

After dbo permission is set to connect to the database, intruders can only obtain webshell by guessing the user name and password or differential backup. For the former, we can encrypt and modify the default logon address of the management background to defend against attacks. For differential backup, we know that it requires the backup permission and the web directory. Searching for web directories is usually done by traversing the directory or directly reading the registry.

Which of the two methods does not support xp_regread and xp_dirtree extended storage procedures? We only need to delete these two extended storage, of course, you can also delete the corresponding dll files.

However, if the web directory is exposed due to a program error, there is no way. Therefore, we need to lower the account permissions and fail to complete the backup operation. The specific operation is as follows: in this account's properties-database access options, you only need to select the corresponding database and grant its DBO permission. Do not operate on other databases. Next, you need to go to the database-Attribute-permission to remove the user's backup and backup log permissions, so that intruders cannot obtain webshell through differential backup.

The above content is an introduction to viewing server security configurations by hackers in the reverse direction. I hope you will gain some benefits.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.