Why the Web server was hung and how it was hacked

Carry and spread the "Trojan" virus the number of sites to decline for the first time, "Trojan" virus spread the momentum is effectively curbed. Rising company released today, "the first half of 2009 Internet Security Report" shows that the first half of this year, rising "cloud security" system to intercept the "Hanging Horse" page number of 290 million, a total of 1.12 billion times "Trojan" attack reports, Guangdong, Beijing, Hunan is the most affected by the number of three provinces. According to statistics, there are 35% of "Hanging Horse" Web server located in Beijing. Although the number of "Hang Ma" sites increased significantly from the same period last year, there was a significant downward trend in the second quarter compared with the first quarter.

Rising security experts that the antivirus software on the "Hanging Horse" site has been effective interception, making the "Trojan" virus growth momentum was successfully curbed, and the traditional "infected virus" gradually rise. This shows that the virus-making gangs in the "Hanging horse" site can not be successful, it has to return to the previous preparation process complex, low infection efficiency of the "infectious virus" attack mode.

Many users have encountered such embarrassing things, because the server security vulnerabilities, resulting in the loss of data, permissions are illegally obtained. Servers are primarily those Web servers, data servers, DNS servers, and mail servers that hold Web sites. Now the main reason why the Web server is hanging horse and black reasons and solutions.

The first can be roughly divided into the server itself and the site itself two aspects.

The server aspect is as follows:

1 SQL database Injection vulnerability.

This vulnerability is more common, such as asp+access injection, asp+mssql injection. Aspx+mssql injection and so on.

The

Injection vulnerability uses a statement such as select From,update to execute arbitrary SQL statements using an ASP program that connects to the database without filtering. But this vulnerability can only be queried if it is used on access. Access is the encapsulated database. But SQL is different. MSSQL exploited a lot of vulnerabilities, such as bad permissions, you can expand through the SQL and weak permissions, column directory, differential backup log files, cross-Library query, cmd command line execution. MSSQL EXEC commands. A related way to prevent this vulnerability is to disable the use of any character modified after the Get argument. For example, "and 1=1" and so on. There are many anti-injection programs on the network. Also notice a few obscure injection signatures. ""，"%"。 % accurate. It is the character that passes the transcoding. Many kinds of encodings can be converted. such as HTML encoding. Winhex. can interfere with many of the anti-injection files. Microsoft's MSSQL is built on the Windows platform. He has two ways to authenticate users, one for MSSQL users and one for Windows authentication. So the jitters are all right here. If an attacker gets system privileges. Then he can modify the admin password. Then, using the Administrator password, log on to native MSSQL with Windows authentication, you can consult any data of the corresponding database. and modify, delete. You can also establish a SQL account for System Admin permissions. General solution here.

Network management in the establishment of MSSQL Admin account, do not be sure to use the default mode of landing. MSSQL If you are logged in with the default mode, you can use Windows user authentication. So you can only use the MSSQL account. Delete xp_cmdshell, etc. Set permissions on each disk. The MSSQL direct access disk Fugen directory is not allowed. The Web directory name is as complex as possible. Don't use Vhost,wwwroot. Here you can guard against the basic attacker's list of directories. It's best to do database separation. Teach you a more abnormal method of database separation. Install a virtual machine on the server. VIASULPC also can. Just install a Windows2003, if you need it. You can rent a server yourself. Then you use the shared mode to surf the Internet, share with the virtual machine, and put the database in the virtual machine. Then the database is in the intranet. Actually the same as the native. Now the database has been telnet out of the net 1433. Even if someone else gets the database server, it's no use. A few days ago, in CK space, I saw an interesting thing that he came across when he invaded. Database separation. The black and polite to die. In the Inetpub directory wrote a curse the administrator of the ASP file. If you are using the whole station system. Please update your attention to official vulnerabilities and patch announcements in a timely manner.

2 system vulnerabilities

Q: If my program and component related security are done. So is my server safe?

A: The WindowsServer family Server version provided by Microsoft is convenient and fast, but there are still some security risks. This has nothing to do with the procedure. is a flaw in the system itself. In general, an attacker obtains Cmdshell or system privileges directly through a buffer overflow vulnerability. For example, IIS Write permission vulnerability, you can access IIS anonymously, and write ASP Trojan, get Webshell. For example, WebDAV overflow, first use the NC listening to the local port. To overflow the port. Get a Cmdshell. The remote control permissions are then obtained through the admin command. These vulnerabilities cannot be repaired until the authorities provide a solution. If it is a Linux system, open the source code. You can change it yourself. But Microsoft did not release the source. So keep an eye on Microsoft's official announcements. Companies with conditions and needs can contact Microsoft and apply for a Datacenter Server system. This system is not issued in the market, is Microsoft's tailor-made for customer needs a set of systems. The price is expensive. Gift Liense. But the security is very high. But it's a little difficult to apply.

Because datacenter all major enterprises are not adopted. It's because of its price. Information about Microsoft's series of broadcasts and information can be seen. Thank CLOUDX here for your help. He helped me a lot when I was learning MCSE. Or did he want me to watch the radio on Ms. Network administrators can keep an eye on the patches released by Ms. If you want to study the system vulnerabilities of friends. Can go to the security focus or the leader of the 0DAY publishing site at any time to pay attention to the release of the vulnerability utility. Then focus on MS's announcement. It is very helpful to study.