Three hacking attacks on web sites

With the advancement of education informationization, various kinds of educational websites have sprung up. Because most of the education Web site is the school computer teacher's own development and management of small sites, the general existence of equipment, technology, professional problems, the site itself has loopholes, often become the target of hacker attacks, seriously affecting the normal business development. Here, the author hopes that through the analysis of the three hacking attacks on the education website, we can analyze the intrusion methods and means commonly used by hackers.

　　The first time the invasion

1. Intrusion phenomenon: 2004 Spring Festival, the website bulletin board suddenly appeared "this forum has the loophole, please the administrator fixes" the content, and was pasted a picture.

2. The process of handling the problem: first of all think of the existence of a Windows 2000 vulnerability, so the first to delete this content, and then the Windows 2000 Server reinstall Upgrade patch, complete the more stringent security settings and replaced the full set of passwords. Think you can sit back and relax, but not a few days, bulletin board again appeared the hacker's warning "your loophole still exists, I can tell you the problem, but in return I want your site source code."

3. Intrusion principle: Of course I will not easily submit, after the search data finally found that the original vulnerability is SQL fatal "single quote injection." The principle of intrusion is as follows: In the Web Site Admin login page User password authentication, if the user in the "UserID" input Box input "Everybody", in the Password box input "Anything" or 1 = ' 1 ", query the SQL statement becomes: Selectfrom user where Username= ' Everyboby ' and password= ' anything ' or 1 = ' 1 '. It is not difficult to see that as "1 = ' 1" is a always established condition, the judgement returned to the "true", password restrictions, regardless of the user's password is not anything, he can remotely log in as everybody, access to the background management rights, in the bulletin board to publish any information.

4. Workaround: Use the Replace function to screen single quotes.

Select from user where Username= ' &replace (Request.Form ("UserID"), ', ') && ' and password= ' &replace ( Request.Form ("Pass"), ', ' &&

　　be invaded again .

The first time I was invaded, I felt uneasy for weeks, but unfortunately it happened.

1. Intrusion: One day, suddenly found that the site's home page files and database part of the data was deleted, from the intrusion of trace analysis is the same hacker.

2. Process of dealing with the problem: First look at the system log, SQL log, no clues to find value, using X-scan, Trojan Nemesis and rising anti-virus software with the System Vulnerability scanning tool for scanning, the system has no serious security vulnerabilities, so the problem of finding into a dilemma, fortunately the site has a complete backup data, Finally, you can only restore the normal operation of the site. Coincidentally, in a week after the upload file through the background management, found that someone uploaded cmd.asp, mun.asp and 1.bat three files of the operation traces, the time for the first time of the invasion. But the machine hard drive has been unable to find these three files, this is a Trojan program, obviously this hacker more professional, after the invasion has cleaned up the battlefield, but still in the site upload record left a clue, otherwise the administrator could not know.

3. Principle of intrusion: cmd.asp, Mun.asp is a Trojan horse program, after browsing a large number of data shows this kind of Trojan horse for ASP, belonging to the famous Haiyang top ASP Trojan Horse, this kind of Trojan once copied to the Web site under the virtual directory, the remote only use IE browser to open the ASP file, you can easily control the Web interface on the computer to perform any operation. I downloaded an ASP trojan on the Internet, simulation test a bit, the function is very powerful, can achieve remote file upload download, delete, user add, file modification and program remote execution operation. 1.bat files are batch files, and content is written to a set of program execution commands to automate execution on the remote computer as needed. Obviously, this Trojan is in the first invasion when the hacker put it on, once the network administrator did not comply with his requirements, you can easily again to carry out the attack.

4. Solution: In order to prevent the still hidden very deep trojan, to ensure foolproof, I reinstalled the Windows2000 system, and replaced the full set of user name, password.

　　analysis of the third time intrusion

1. Intrusion: In October 2004, the website was again invaded. This day I was in the picture News column suddenly found a picture news by last year an old content replaces, when the client clicks on the news picture, rising antivirus monitoring system alarm found virus, apparently the site has been invaded and implanted with virus pictures, this is a picture file format as a cover of Trojan virus, Once the user clicks on the image, the virus is implanted into the C:\Windows\Temporary Internet files directory, which is a vicious hacking attack, from its modus operandi to another hacker.

2. The process of dealing with the problem: with the first two lessons of the invasion, I developed the habit of constantly understanding information about system vulnerabilities and regularly update the system, so it is not possible to exploit system vulnerabilities. The placement of the image is put into the SQL database, which means that hackers use the Web Site Admin function to achieve picture upload, and this requires a legitimate user password. The username and password I set are not easy to crack, so there is only one way that the hacker gets the admin username and password in the SQL database table in a certain way. With this in mind, I studied a lot of relevant information on the Internet, and finally locked the attack as "SQL injection intrusion".

3. Intrusion principle: the principle of SQL injection, is the client from the normal WWW port to submit special code, using the return error prompts, collecting procedures and server information, so as to obtain the information.

4. Workaround: Add a display statement "On Error Resume Next" to close the SQL error message before the ASP program extracts the "SELECT * from" Statement of the database form content, as

On Error Resume Next

Rs. Open "Select from Xinwen where xw_id=" &request. QueryString ("xw_id"), conn,1,3