Share several web site anti-Black Experience

Comments: I will share my experience on anti-black web site protection. For more information, see webmasters.1. Set strict Permissions
Only write and read permissions are allowed for the upload directory, but execution permissions are not allowed.
Set the independent user name and password permissions for each WebSite to Guest.
Command: net localgroup users myweb/del
Set MSSQL, Apache, and MySQL to run with the Guest permission: in the running process, enter service. msc and select the corresponding service to run with a Guest permission account
2. Prevent SQL Injection
In the past, the general anti-injection module was used to compete with hackers for many times. I understood that the general anti-injection module is useless. If CC attacks occur on my WebSite, the general anti-injection module of WebSite will make my WebSite the WebSite is stuck !!
Using specialized Web Application Firewall is a wise choice. The hardware firewall is usually a few hundred thousand. I don't have that much money. It's not something that our users can use, or they like to use free Software. The Quick Bi WebSite Firewall Standard Edition can be used. free after registration
3. Prevent IIS 6.0 0-day attacks
0-day:
IIS is fatal. Many websites are hacked like this: hackers create aaa. asp Directory and then in aaa. put an image trojan in the asp Directory to access aaa. asp/xxx.jpg to access the Trojan
2 of 0 day:
A hacker uploads files like aaa. asp; bbb and jpg to the server. This is not a jpg file. IIS 6 truncates the jpg file in a semicolon and executes it as asp.
Solution 1: During encoding, prohibit the directory from containing "." And the file name.
Solution 2: If the WebSite has too many users to modify the code, consider the WebSite firewall mentioned above.
4. Detect hacker attack traces
1). Detect the sht BACKDOOR:
The remote 3389connection is continuously pressed to the shtkey for 5 times. If there is no sticky button, the description is displayed. After installation, the system searches for and deletes hc.exe in the Windows folder.
2) view the Document and Settings directory
If a suspicious user folder is found, it indicates that the folder has been hacked.
5. Delete dangerous components
1). Delete Wscript

The Code is as follows:
Regsvr32/u C: \ windows \ 32 \ wshom. ocx
Del C: \ windows \ 32 \ wshom. ocx
Regsvr32/u C: \ windows \ system32 \ shell32.dll
Del C: \ windows \ system32 \ shell32.dll

2). Delete MSSQL dangerous stored procedures
Ms SQL SERVER2000
Log on to the query analyzer using a system account
Run the following script

The Code is as follows:
Use master
Exec sp_dropextendedproc 'xp _ export shell'
Exec sp_dropextendedproc 'xp _ enumgroups'
Exec sp_dropextendedproc 'xp _ loginconfig'
Exec sp_dropextendedproc 'xp _ enumerrorlogs'
Exec sp_dropextendedproc 'xp _ getfiledetails'
Exec sp_dropextendedproc 'SP _ OACreate'
Exec sp_dropextendedproc 'SP _ OADestroy'
Exec sp_dropextendedproc 'SP _ oageterrorinfo'
Exec sp_dropextendedproc 'SP _ oagetproperties'
Exec sp_dropextendedproc 'SP _ oamethod'
Exec sp_dropextendedproc 'SP _ oasetproperties'
Exec sp_dropextendedproc 'SP _ oastop'
Exec sp_dropextendedproc 'xp _ regaddmulti'
Exec sp_dropextendedproc 'xp _ regdeletekey'
Exec sp_dropextendedproc 'xp _ regdeletevalue'
Exec sp_dropextendedproc 'xp _ regenumvalues'
Exec sp_dropextendedproc 'xp _ regremovemulti'
Exec sp_dropextendedproc 'xp _ regwrite'
Drop procedure sp_makewebtask
Go

Delete all dangerous extensions.
Exec sp_dropextendedproc 'xp _ export shell' [after this extension is deleted, the database cannot be remotely connected]
The following three stored procedures will be used when SQL SERVER recovers the backup. Do not delete them unless necessary.
# Exec sp_dropextendedproc 'xp _ dirtree '[after this extension is deleted, the database cannot be created or attached]
# Exec sp_dropextendedproc 'xp _ regread '[restore the database after deleting this extension]
# Exec sp_dropextendedproc 'xp _ fixeddrives '[The database cannot be restored after this extension is deleted]