The Sharpwinner of Chinese Red League and Tianjin webmaster probing into network intrusion

The intermediary transaction SEO diagnoses Taobao guest stationmaster buys the Cloud host technology Hall

June 21 3 o'clock in the afternoon, the Tianjin Software Industry Association internet Application branch of the fifth session of the seminar began, the official QQ group: 39241075, this period of discussion by Webmaster Network www.admin5.com, China Red League www.admin5.com, China Red League www.redhacker.cn Cooperation, the theme: Network Security network intrusion.

Interconnect Liu Weijun (old wheat 296128095)

Hello, everyone! According to the scheduled plan, this afternoon to hold a discussion on internet intrusion, still by the Red-Guest alliance. There are questions you can communicate, the way is still to be told by the guests for 30 minutes, and then we discuss.

Is the CEO of China Red Guest Alliance (www.redhacker.cn), the author of "The Red Guest Cloud", has "unscramble red guest-inside big exposure".

China Red League Sharpwinner

All right? Our training starts now, everybody's website has been hacked? ......

It seems that the current hackers are rampant Ah, we all know how the site was hacked?

Just made a survey, everyone site was invaded the situation is more, and there are some webmaster know how the hacker intrusion, now there are many PHP sites are also hacked by hackers, online also has a lot of tools for the penetration of PHP.

Now let's start by letting you know what kind of hacking technology the hacker has.

Intrusion of SQL injection vulnerabilities

This is asp+access Web site intrusion Way, through the injection point listed in the database administrator's account number and password information, and then guess the site's background address, and then use the account and password login to find the file upload place, the ASP Trojan upload, get a website Webshell.

Then there is a SQL injection vulnerability intrusion mode, that is Asp+mssql Web site intrusion mode. MSSQL usually assigns an account number to the user, the permission of the account is divided into three kinds of sa,dbowner,public,sa the highest privilege, public lowest.

There used to be a lot of database to give SA permission, especially some South Korea's website, a sweep is a lot of SA privileges, now most sites are to Dbowner permissions.

If it is the SA permission site, the injection point, then you can directly use the database storage extension xp_cmdshell to execute system commands, set up a system account, and then through 3389 login. or upload an NC program, and then use the NC reverse link back, get a remote shell permissions, of course, the use of SA injection point intrusion method There are many kinds, I do not explain one by one.

If it is db_owner permission, then use the technology of differential backup to backup a Webshell, the premise is to know the absolute path of the site. Then there is a way to use the db_owner permissions to list the database site administrator's account number and password, and then log into the site backstage, to see if there are available places, such as uploading files, backup database and other functions, and then use the vulnerability upload ASP trojans up. The technology for this login background is similar to the previous asp+access intrusion approach.

So it's clear that hacking is a set of technologies. For example, A,b,c is the three parts of the intrusion technology, and A1,B1,C1 is another intrusion technology three parts, then according to the actual situation, it may be paired with, if you can use A,b1,c, can also use a1,b1,c, which can be paired with several kinds of intrusion mode, So the hacker invasion is changeable, everybody wants to know is the million change, the hacker's goal is to use the website and the server may exist the flaw or the configuration error to achieve the control server and the website goal.

Now let's talk about the third kind of hacking technology.

ASP Upload Vulnerability: This technology is the use of some Web site ASP upload function to upload ASP Trojan an intrusion mode. Many sites have limited the type of upload files, generally, ASP is the suffix of the file is not allowed to upload, but this limit can be hackers to break through. Hackers can take the cookie spoofing way to upload the ASP trojan, get the site's Webshell permissions.

We have mentioned earlier, through the login system backstage to the technology of intrusion, background database backup way to get Webshell is one of them, this is mainly the use of Web site background to access database backup and restore functions, Variables such as backup database paths are not filtered to cause the suffix of any file to be changed to ASP. Then use the site to upload the function of uploading a filename to a jpg or gif suffix of the ASP Trojan Horse, and then use this recovery database backup and restore function of this trojan back to ASP files, so as to achieve the goal of access to the site Webshell control.

Next to the site to explain the intrusion technology: this technology is through the IP binding domain name query function to find out how many sites on the server, and then through a number of weak web sites to implement intrusion, get the right to control the server's other sites.

Did I not use an example to describe the three processes of intrusion? This side note that you just said should be a part of the invasion. The whole process of an intrusion technology should be this: first the collection of target information, this is a; then the vulnerability in the information to take advantage of the access to certain permissions, and elevated to become the highest authority, which is B, known as intrusion implementation; The third step is to bury the back door, To facilitate the next entry of the hacker, the last step is to clear the trail, so that other people can hardly find out how the site was invaded the amount.

The side-note intrusion is essentially the stage of target detection, the side note is the detection means, and the later intrusion is the invasion implementation stage.
　　
Okay, let's move on.

Submit a word Trojan intrusion way

This technical way is to some database address is changed to ASP file Web site to implement intrusion. Hackers through the site's message board, forum system and other functions to submit a Trojan horse to the database, and then in the Trojan client input the site's database address and submit, you can write an ASP trojan to the site, get the site's Webshell permissions.

Then now there are a lot of people on the Internet with some Free forum code, website code, blog system code, these free code is very easy to be used by hackers, so we recommend that the corresponding patch before use.

Forum Vulnerability exploits intrusion mode

This technology is to use some of the forum security vulnerabilities to upload ASP Trojan to obtain Webshell permissions, the most typical is, Move the Net 6.0 version, 7.0 version of security vulnerabilities, take the 7.0 version, register a normal user, and then grab the bag with a tool to crawl the user to submit an ASP file cookies, and then use the software such as the Ming to take cookies to deceive the upload method can upload an ASP trojan, get the site's Webshell.

Gogle Hacking Technology

The technique is to use Google to search for sites with vulnerabilities, and we'll simply list some of the ways Google's syntax is used:

Intext:

This is a page in the body content of a character as a search criteria. For example, enter in Google: intext: Red League. Will return all pages containing "red" in the body of the page

. Allintext: Use methods similar to Intext.

Intitle:

Like the intext above, search the title of the page for the characters we're looking for. For example: intitle: Red Guest. Returns the pages that contain "red guest" in all page headings. Same allintitle: similar to intitle.

Cache:

Search Google for some content in the cache, sometimes may find some good things oh.

Define:

Search for the definition of a word, search: Define:hacker, and return a definition of hacker.

FileType:

I'd like to highlight this, whether it's a cast-net attack or what we're going to say. This is needed to collect information for a particular target. Searches for files of the specified type. For example, enter: filetype:

Doc. all file URLs that end with Doc will be returned. Of course, if you're looking for. bak,. mdb or. Inc, you may get more information:

: Filetype:doc. All file URLs that end with Doc are returned. Of course, if you're looking for. bak,. mdb or. Inc, you can get more information.

Info:

Find some basic information about a specific site.

Inurl:

Search to see if the character we specified exists in the URL. For example, input: Inurl:admin, returns n a connection similar to this: Http://www.xxx.com/xxx/admin, The URL used to find the admin login is good. Allinurl is similar to inurl and can specify more than one character.

Link:

For example search: Inurl:www.jz5u.com can return all URLs that are linked to www.jz5u.com.

Site:

This is also useful, for example: Site:www.jz5u.com will return all URLs associated with jz5u.com this station.

Yes, and some of the * characters are also useful:

+ List of words that Google may ignore, such as query scope

-Ignore a word

~ Consent Word

. Single wildcard character

* Wildcard characters that can represent multiple letters

The exact query

Now let's briefly explain some examples:

For some hackers, getting a password file is what they're most interested in, so Google can search for the following:

Intitle: "Index of" etc

Intitle: "Index of" passwd

Intitle: "Index of" pwd.db

Intitle: "Index of" Etc/shadow

Intitle: "Index of" master.passwd

Intitle: "Index of" htpasswd

This will have a lot of server's important password files are not protected by exposure to the network, hackers will use these passwords to obtain some of the system's privileges.

The above hackers through the web intrusion technology we just did a simple introduction, the purpose is to hope that the hacker technology has a certain understanding, but do not want to use these technologies to implement the invasion. I think people are wondering what good defensive methods are for so many forms of intrusion.

So let's talk about how to defend against web based attacks.

Okay, so let's talk about how we do the security of Web sites and servers.

There are two ways to prevent web intrusion, one is to use technical means to defend against attacks, the other is to use security software to defend against attacks.

Manual way to prevent web-based intrusion

1 Patch Installation

Install the operating system, the first thing to do is to install a variety of system patches, configure the network, if the WIN 2000 operating system installed Sp4,win 2003 on the installation of SP1, and then click Windows Update, install all the key updates.

2 Install antivirus Software

Antivirus software We now mainly recommend the use of two: Kaspersky and rising. These two anti-virus software we have done more than n test, the results show that Kaspersky's ability to kill and search more than rising, many did not kill the Trojan has been rising but does not escape but Kaspersky, of course, Kaspersky is not hundred percent all viruses can kill, some Trojan program is also able to make a Kaspersky. Only Kaspersky in all antivirus software among the killing ability is still good.

3 Set the port's security protection function

There are two ways to protect the port, one is port settings in TCP/IP filtering, the other is a system-led firewall (we use the Windows 2003 operating system), and most of the Web sites are now using the Windows 2003 operating system. ）。

4 port settings for TCP/IP filtering

Right-click "Properties" on "My Network Neighborhood" then, on the local Area connection, right-click Properties, select Internet Protocol (TCP/IP) point properties, and then in the Internet Protocol (TCP/IP) properties box that pops up, select Advanced, and then in the Advanced TCP/IP Settings box, select Options, select TCP/IP filtering, click Properties, and then, on the pop-up TCP/IP filter box, tick "Enable TCP/IP filtering (All adapters)", select Allow only, and then click Add the port you want to open.

5 port settings with a firewall

Port settings are more flexible with the Windows 2003 operating system's own firewall, without restarting the server. We start setting, right-click "Properties" on "Network Neighborhood", and then right-click "Properties" on "Local Area Connection", select "Advanced" in the pop-up box, and select "Internet Connection Firewall" to click Settings, which will eject the "WINDOWS Firewall" box. We choose "Enable" and then click "Exceptions", in which we can choose "Add Programs" and "Add ports" to set up some open ports. It is important to note that if you are connecting remotely to a server, be aware that the port of the remote virtual terminal must be open.

6 Security settings for the directory

All disks, including system disks, only give full control to administrators and system.

C:\ The Documents and Settings directory only gives full control to administrators and system.

The C:\Documents and Settings\All Users Directory only gives full control to the Administrators group and SYSTEM. C: \inetpub directory and all of the following directories, files only to the Administrators group and SYSTEM Full Control permissions. In addition to full control of administrators and system, the C:\Windows directory also requires a "special permission" for creator Owner, with all permissions other than full control for the Power Users group, the Users group Read and run, List folder directories, Read permissions. These permission settings for the C:\Windows directory are important, and many system services will not function properly after the system restarts, if those permissions are not set except for the full control of administrators and system.

C: \windows\system32\cacls.exe, Cmd.exe, Net.exe, net1.exe files only give Full control to the Administrators group and SYSTEM.

7 IIS Controls permission assignment for account

Hackers now in the technology, there is a technology called the site side of the injection of intrusion, this technical way the hacker intrusion technology has been said, is through the server inside a vulnerable site to implement the invasion, the successful access to control other sites. Then everyone wants to know what causes the problem. The original IIS for remote ordinary user access is set up a dedicated "IUSR_ machine name" account. It is because IIS uses the "IUSR_ Machine name" account to manage all Web site access, so hackers can use this technique of side-injection intrusion. So how do we solve this problem? Quite simply, we set up a separate IIS control account for each site, and the IIS control account's permissions are set to the Guests group. So even if the hacker through the server to get access to a website, then he has only the permissions of the site, the server other sites he did not have access to the server, the hacker's risk of damage reduced, then security is relatively improved.

8 Patching of injection vulnerabilities and restrictions on file types uploaded

These two parts is the website programmer must pay attention to, the hacker to the website implementation process, 80% will use the website the injection point and uploads the loophole to implement the invasion. Injection vulnerabilities can be patched using some ready-made patch code on the Web, such as ASP generic anti-injection components, anti-injection code perfect version, etc., but we still suggest that the site programmer to spend a little time to write their own injection code, this will be more secure and reliable. Restrictions on uploading file types This is not hard to write, only allow users to upload your site to use the type of file, to limit the type of file, especially do not let Asp,asa file upload files, and then file the header file for a check, found that there are ASP Trojan features on the limit upload. Of course, now hackers are more and more intelligent, ASP Trojan most use a word trojan, and then the code for a variety of deformation treatment to escape the site restrictions and anti-virus software killing. For these technology-free trojans use ASP code to prevent the way, it is best to use security products to defend.
9 Security settings for SQL permissions

Asp+mssql is the most interesting website for hackers, usually hackers can easily use MSSQL vulnerabilities to get system privileges, so this piece is to be valued.

First system installation, try not to default to install into the C:\Program files directory, and then set up a good SQL database after the latest patches. Then the database should not be placed in the default location, the next thing to see whether the site needs to telnet to the SQL Server, we recommend that you do not use the remote, if you have to use, it is recommended that you can change the port to a high-end port, so that hackers difficult to find.

After doing a secure installation, set up a complex password for the SA and then remove the BUILTIN\Administrators user group from the SQL, which prevents hackers from logging in to SQL as Windows. Then edit the SQL Server registration properties in Enterprise Manager, select Use SQL Server authentication and check "Always prompt for logins and passwords."

Then, when the user is added, only public and db_owner permissions are given.

Add user

EXEC sp_addlogin ' abc '

Make it the legitimate user of the current database

EXEC sp_grantdbaccess N ' abc '

Grant ABC users db_owner permissions to the database

EXEC sp_addrolemember n ' db_owner ', n ' abc '

Finally we have to delete some of the hackers commonly used to call the shell, the operation of the registry, invoke the permissions of the COM component.

Open Query Analyzer and enter:

Use master

EXEC sp_dropextendedproc ' xp_cmdshell '

EXEC sp_dropextendedproc ' sp_OACreate '

EXEC sp_dropextendedproc ' sp_OADestroy '

EXEC sp_dropextendedproc ' sp_OAGetErrorInfo '

EXEC sp_dropextendedproc ' sp_OAGetProperty '

EXEC sp_dropextendedproc ' sp_OAMethod '

EXEC sp_dropextendedproc ' sp_OASetProperty '

EXEC sp_dropextendedproc ' sp_OAStop '

EXEC sp_dropextendedproc ' xp_regaddmultistring '

EXEC sp_dropextendedproc ' Xp_regdeletekey '

EXEC sp_dropextendedproc ' Xp_regdeletevalue '

EXEC sp_dropextendedproc ' xp_regenumvalues '

EXEC sp_dropextendedproc ' Xp_regread '

EXEC sp_dropextendedproc ' xp_regremovemultistring '

EXEC sp_dropextendedproc ' xp_regwrite '

drop procedure Sp_makewebtask

Click "Execute" in "Query" on the menu, so that these will be removed by the hacker's privileges.

Just now we have to explain the security of the server

So now we're in the free Question Time

Webmaster: What should Linux pay attention to?

China Red League Sharpwinner: In short, the Linux system at the level of the vulnerability is not much, more or the application level, including Apache+php+mysql these aspects of security problems

Webmaster: Generate HTML security is not also the use of

China Red League Sharpwinner: Well, static page hackers are hard to invade

Webmaster: What do you think is the strongest BBS in the process now? DZ?

China Red League Sharpwinner: In fact, many BBS now have underground 0DAY vulnerability, relatively speaking, PHP forum than ASP security, 0day refers to the open loophole

Webmaster: What to do after being hung up?

China Red League Sharpwinner: After the horse, it is best to stop the site, and then carefully check, it is best to use some tools to cooperate with the inspection, you can check the site has been changed files

Interconnection Liu Weijun (old Michael 296128095): The people of China who are red are respectable, although their numbers are getting smaller.

China Red League Sharpwinner: Well, now is our dormant stage, this year we will be through a series of promotional activities to inject new ideas to the red Guest, a new culture, "red Guest" will be the publication of our very important cultural dissemination of the way, the second half of this year we will publicize the two years more than the " "Red Guest" published, the book is about the Chinese red guest to protect national interests and foreign spy forces to fight the story.