How to prevent your personal website from being hacked

Source: Internet
Author: User

I. Prevention of SQL injection attacks

Currently, SQL injection is the most common method for hackers to attack websites. Because SQL injection is accessed from normal www ports, it is no different from general web page access, therefore, the current Municipal firewalls do not alert SQL injection. Currently, many website programs do not determine the validity of user input data. Therefore, when you submit database query code in the ie Address Bar, for example, enter www.labx?com/displist.asp? Http://www.labxw.com/displist.asp? If id = xx and 1 = 1, the returned result is normal, but enter www.labx?com/displist.asp? Http://www.labxw.com/displist.asp? When id = xx and 1 = 2, an error message is returned. This indicates that the displist. asp file has the SQL injection vulnerability.

If your website has such an injection vulnerability, hackers use Swiss Army knife, WeChat Sub-Account, and other software to use displist. asp injection points can attack your website, and then upload asp Trojans, run the asp trojan in the ie address bar, you can freely upload and download files on the website, tamper with webpages, you cannot prohibit asp trojans from running on the server.

To prevent hackers from attacking the website through SQL injection, you can use maple leaf anti-injection version 3.5 to perform the following steps:

1. Upload the maple leaf protection version 3.5

First, extract the compressed package to a directory, and then upload the directory (including all files) to the server.

2. Modify the conn. asp file in the website Program

Find conn in the website program. asp file (that is, the database connection file); then in the maple leaf anti-Note 3.5, find and open sqlin. asp file, put sqlin. all codes in asp are copied to conn. asp file tail (1), so that all the files calling conn on the website can guard against injection attacks!

All the conn. asp files on the website should be modified in this way. Finally, the modified conn. asp file will be uploaded to the server.

3. Modify the page for anti-Injection

Check the website program, open the pages that require anti-injection (that is, asp files containing database operations), and add <! -- # Include file = "sqlin. asp" --> so these pages can be protected and uploaded to the server.

[Note]: after your website has been processed above, hackers will not be able to attack the website through SQL injection! The above method is very effective. My website was cracked by hackers every day. Since this process, no hacker has ever been attacked.

  2. Other Website anti-Black skills

In addition to the main anti-Black measures described above, you should also take the following measures:

1. database download blocking Vulnerability

Create a regular and unconventional name for the database, such as c26sksfln. mdb, and place it under several directories (such as./labxw/lagq/laxw /). Do not write the database name in the program. For example, in conn. asp contains dbpath = server. mappath ("analytic dB. mdb ") This sentence is very dangerous, because once someone else gets the conn. asp: the name and location of the website database are all at a glance.

2. No upload or forum programs

It is best not to have any upload or forum programs on the website. We recommend that you use ftp to upload and maintain webpages. Do not install asp upload programs. If asp files must be retained, you should also perform identity authentication. If the Forum supports file upload, you should set the format of the file to be uploaded in the program and lock it directly in the program. Only images and compressed files can be uploaded.

3. Background Management Program

Do not display the portal link of the background management program on the webpage to prevent hackers from attacking the website background management program. The Administrator's username and password cannot be too simple. Pay attention to regular change. We recommend that you delete the background management program and upload it over ftp during maintenance.
3. Check whether asp Trojans exist on the website.

 

We recommend that you use the official version of asp webmaster Security Assistant aspsecurity 1.0 to check whether asp Trojans exist on the website. As we all know, if a hacker uploads an asp Trojan on your website and does not know the file name and location of the Trojan, it is not easy to find them. Now I will teach you a trick, it is the use of aspsecurity, the software can help you quickly find asp Trojans, the operation steps are as follows:

1. upload to the server

First download asp webmaster Security Assistant aspsecurity 1.0 official version, decompress the download package to get a directory containing many asp files, and then upload the entire directory to the server;

2. log on to the aspsecurity background

Enter your website address/aspsecurity directory/index. asp in the address bar of your browser, and log in with the administrator password admin888. after entering the background, change the admin888 logon password and remember the new password;

3. Search for asp Trojans

Next, click "Search for asp Trojan", enter the path in the right window, and click "Start Check" to check whether asp Trojan is hidden on the entire website. Please be patient, if there are not many asp files on the website, the check results will soon come out, and the software will list all the suspicious files (2). Click the suspicious file names one by one and view the file creation/modification time, check whether it is an asp Trojan.

4. Suspicious File Search

If you find a Trojan, click "Suspicious File Search" to find the files left and modified by the intruders. The modification date of these files is generally the same as that of the Trojan file. Enter the date of the detected Trojan file (3), check the file type to *, and set the search directory to all files left and modified by intruders on the website.

5. file tampering check

You should click "file tampering check", fill in, and click "Submit" to save the modification date, size, and other information of all files on the website in a txt file. The name of the saved file (for example, 2006119133300.txt) is the date and time (4) on the day of operation, in case you check whether the website file has been tampered with in the future. If you want to check later, enter the file name under "verification information, click "Submit.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.