How to prevent the website from being hung horse from the technical point of view

Source: Internet
Author: User
Keywords Hanging horses through backstage guard

&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp; Hanging a horse is in the Web site hanging Trojan, the first is to exploit the Web site with loopholes, and then upload Trojan, on the line. Look at the hacker website in detail! The so-called hanging horse, that is, by scanning the site has injected point, and then through the injection point, get the system administrator's account and password, and then through the scan, get the website background landing page address, and then log into the site backstage, through the database backup/restore or upload vulnerabilities to get a Webshell Use the Webshell to modify the content of the Site page, add malicious steering code to the page; When you visit a page that is added to a malicious code, you automatically access the address that is turned on.

Recently, friends often say their website was Hung horse, evil spirit is distressed, the site traffic loss does not count, hanging horse will give the site to the user to a fatal blow, so that its completely lost interest in your site. Webmaster Do station is not easy, is a Cincinnati made out of the website, so the end of it? Facing the challenge of horse-hanging, how can we cope?

The simplicity of ASP development makes the scripting language used by more and more web-site daemons. However, because the ASP itself has a certain security vulnerabilities, a little careless will provide the opportunity for hackers. At present, most of the ASP programs on the Web have such a security vulnerability, but if you write a program to pay attention to, it can be avoided.

One, free program is left behind the back door

This approach is the usual method used by those who call the free download program. He can leave a small back door in a very obscure catalogue or file, or simply put an ASP Trojan horse in. So do not easily use the unknown procedures, download the program as far as possible to the regular large web site. If you do not want to use, please carefully check each directory, each file code, to ensure foolproof. Front desk as far as possible not to stay executable program, can generate HTM, full build. The background must be renamed to the directory, this is very important this will be mentioned below.

Second, the background password is cracked

Some users in the debug program when the user name and password settings are very simple, and some even directly with the default, which is extremely dangerous, others can be simple guesses or simple to crack, easy to get permission, the consequences imaginable. Programs involving user names and passwords should be encapsulated on the server side, as far as possible in ASP files. At present, the more secure method is that the background through the server-side session validation, password through MD5 strict encryption.

Third, validation is bypassed

Today's ASP program exclusively is to add a judgment statement on the head of the page, but this is not enough, there may be a horse to bypass the validation of direct access. The workaround is to track the file name of the previous page in an ASP page that needs to be validated, and only the session from the previous page can read the page. Of course, if you rename the background directory, the likelihood of this intrusion is much smaller.

IV, SQL injection

ASP programs must filter some special characters, such as ', the program must determine whether the data submitted by the client to meet the requirements of the program, SQL injection vulnerability is "sink, miles." Now online SQL Universal Anti-injection program a lot, download a slowly research put it

Five, the database is downloaded

When you use Access as a background database, if someone knows or guesses the path and database name of the server's Access database in a variety of ways, then he can also download the Access database file, which is very dangerous. The solution is to name the database as an ASP suffix and not to write the database name directly in the program when connecting to the database.

There are other reasons, such as the host's own ghosts, ARP attacks and so on, of course, these are not the topic discussed in this article.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.