Reference: Many Webmasters have experienced this experience: Website Hackers intrude into the web page, and the web page is completely invisible. To help everyone prevent hacker intrusion, I have written out the preventive measures I have summarized in practice, it will ensure the security of the website and never be hacked!
I. Prevention of SQL injection attacks
Currently, SQL injection is the most common method for hackers to attack websites. Because SQL injection is accessed from normal WWW ports, it is no different from general Web page access, therefore, the current Municipal firewalls do not alert SQL injection. Currently, many website programs do not determine the validity of user input data. Therefore, when you submit database query code in the IE Address Bar, for example, enter www.labx?com/displist.asp? Id = xx "> HTTP: // www.labx?com/displist.asp? If id = xx and 1 = 1, the returned result is normal, but enter www.labx?com/displist.asp? Id = xx "> HTTP: // www.labx?com/displist.asp? An error is returned when id = xx and 1 = 2. Information This indicates that the displist. asp file has the SQL injection vulnerability.
If your website has such an injection vulnerability, hackers can Switzerland The software, such as the military knife and mingxiao sub-injection, uses displist. asp injection points can attack your website, and then upload ASP Trojans, run the ASP trojan in the IE address bar, you can freely upload and download files on the website, tamper with webpages, you cannot prohibit asp trojans from running on the server.
To prevent hackers from attacking the website through SQL injection, you can use maple leaf anti-injection version 3.5 to perform the following steps:
1. Upload the maple leaf protection version 3.5
First, extract the compressed package to Directory And then upload the directory (including all the files in it) to the server.
2. Modify the CONN. asp file in the website Program
Find the CONN. asp file (that is Database Connect to the file), and then find and open sqlin In the maple leaf anti-note version 3.5. asp file, put sqlin. all codes in asp are copied to CONN. asp file tail (1), so that all the files calling CONN on the website can guard against injection attacks!
All the CONN. asp files on the website should be modified in this way. Finally, the modified CONN. asp file will be uploaded to the server.
3. Modify the page for anti-Injection
Check the website program and open the pages that require anti-injection (that is Data Library operation ASP files), and then add the <! -- # Include File = "SqlIn. Asp" --> so these pages can be protected and uploaded to the server.
[Note]: after your website has been processed above, hackers will not be able to attack the website through SQL injection! The above method is very effective. My website was cracked by hackers every day. Since this process, no hacker has ever been attacked.
2. Other Website anti-Black skills
In addition to the main anti-Black measures described above, you should also take the following measures:
1. Block Database Download Vulnerability
Create a regular and unconventional name for the database, such as c26sksfln. mdb, and place it on several layers. Directory For example,./labxw/lagq/laxw /). Do not write the database name in the program. For example, in conn. asp contains DBPath = Server. mapPath ("analytic dB. mdb ") This sentence is very dangerous, because once someone else gets the conn. asp: the name and location of the website database are all at a glance.
2. No upload or forum programs
It is best not to have any upload or forum programs on the website. We recommend that you use FTP to upload and maintain webpages. Do not install asp upload programs. If asp files must be retained, you should also perform identity authentication. Authentication . If the Forum supports file upload, you should set the format of the file to be uploaded in the program and lock it directly in the program. Only images and compressed files can be uploaded.
3. Background Management Program
Do not display the portal link of the background management program on the webpage to prevent hackers from attacking the website background management program. The Administrator's username and password cannot be too simple. Pay attention to regular change. We recommend that you delete the background management program and upload it over ftp during maintenance.
3. Check whether asp Trojans exist on the website.
We recommend that you use the official version of ASP webmaster Security Assistant ASPSecurity 1.0. Website Whether there is an asp Trojan. As we all know, if a hacker uploads an asp Trojan on your website and does not know the file name and location of the Trojan, it is not easy to find them. Now I will teach you a trick, is to use ASPSecurity, Software The steps are as follows:
1. Upload Server
First download ASP webmaster Security Assistant ASPSecurity 1.0 official version, decompress the download package to get Directory There are a lot of ASP files, and then upload the entire directory to the server;
2. log on to the ASPSecurity background
Enter your website address/ASPSecurity directory/index. asp in the address bar of your browser, and then use Management Log on to admin888 with the employee password. after entering the background, first change the admin888 login password and remember the new password;
3. Search for asp Trojan
Next, click "Search for asp Trojan", enter \ In the right window check path, and click "Start Check" to check whether asp Trojan is hidden on the entire website. Please be patient, if there are not many asp files on the website, the check results will soon come out. The software will list all the suspicious files (2). You can click the suspicious file names one by one and view the file creation/modification. Time To check whether it is an asp Trojan.
4. Suspicious files Search
If you find a Trojan, click "Suspicious File Search" to find the files left and modified by the intruders. The modification date of these files is generally the same as that of the Trojan file. Enter the date of the detected Trojan file (3), check the file type to *, and set the search directory to \. The software will find all the files left and modified by intruders on the website.
5. file tampering check
You should click "file tampering check", fill in \, and click "Submit" to save the modification date, size, and other information of all files on the website in a TXT file. The name of the saved file (for example, 2006119133300.txt) is the date and time (4) on the day of operation, in case you check whether the website file has been tampered with in the future. If you want to check later, enter the file name under "verification information, click "Submit.