The author last year wrote an article on "Guizhou Personnel Network" was hanged horse bloody lesson "pitiful is also about the network security did not do in place, resulting in Web server hack invasion of bloody scenes!"
Hack invaded again!
Hello everyone, I am the webmaster of the Dream 163 nets, last year May 21 to all the friends wrote that article, do not know who still remember, that is, there is about the safety of the site did not do a good job, and led to the experience of hack invasion! However, after a long time, this January 9, another hack invasion! (I don't know if I'm too good or my opponent is too strong?) I have to talk about it from November 11, 2013, at that time, "dream 163 net" just on the line, in a service provider bought a VPS server, so the site began operation, just started operation is not bad, until the first two days I opened the FTP server, only to find that the server inside a "a" This folder!
Figure 1:
Say here everybody should also discover, the author uses is dedecms to dream the program, the server inside has a "a" the folder is very normal, because "a" This folder is dedecms to store the article folder! But the truth of the matter is not so, the author for the convenience of management, the original default "a" Folder renamed "News" So why do you have one more folder now? That's what's going on here! With the author open "A" This folder in, found a lot of unfamiliar files
Figure 2:
How to open the 1.html look, it is a gambling site! Compared to everyone should know why the other way to do this, because uploading these files on your site, if Baidu spider crawling "http://www." Domain name. com/a/xxxxx/x/1.html, Will be included in his garbage pages, but let him achieve the benefits he needs!
If 100 1000 websites, all by him upload these files, can imagine, the consequence is how terrible, however he will get how much traffic and benefit! After the discovery of suspicious files is good, since we have found these suspicious files, then we remove him from the finished? The answer is NO. Even if you delete it this time, the next time he will be the same upload, now we need to do is to find the loophole, the loophole to make up, so he can not come in, so he can not upload those junk files! It's a long time to find a loophole! The last time I was invaded, I found a loophole to find for several days! But this time it was quite smooth! The author in the background found a hack added administrator account password!
Figure 3
The key is here, this hack is through what path, through what method to add administrator account! It's going to be hard for me. The website basically has no loophole, also did not install what plugin! Also exclude is the program itself loophole, because I believe that the safety of weaving dream technology, even if there are loopholes in the official will be the first time to play patches! Finally, I finally found an important breakthrough, is the database account password! When I built the website, On the Internet under a MySQL automatically built software! Account password is the default! However, the remote management port of the database is also the default: 999 blame me for carelessness, at that time did not modify the account password in time! However, it caused the website to be invaded! said is very vague, perhaps a lot of friends are not very understand! The default account of the database is: The root password is: 123456 The default management port is: 999 If you do not modify the default account password hack only need to visit the www.www.xxx63.com:999 and then enter the account number, enter the password, entered your database! and permissions are administrator rights!
After entering the database, hack can insert an admin account to your website via SQL statement, which is the administrator account of Figure 3! or directly through the MySQL database to get the right to your site Webshell permissions or server Management permissions! So that your site is controlled by the other side, Do what the other person wants to do! Now understand that "a" directory is how inexplicable strange appearance in my server, the original is this truth! Finally, the author of the Final solution is to modify the database password, the remote management port shutdown! For security, the server password, FTP password all have been given a change!
In the end, the author reminds everyone, the network is terrible, do the site's friends need to be cautious! Do not cause a great loss because of a momentary negligence!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.