With the advancement of education informationization, all kinds of educational websites have emerged. Since most of the education website is a small website that the school computer teacher develops management, there is a problem with equipment, technology, and professionals. The website itself has a vulnerability, often become the goal of hacker attacks, which seriously affects the development of normal business. Here, the author hopes to analyze the common intrusion methods and means of hackers through the analysis of the three hackers encountered by the education website.
First encounter invasion
1. Invasion: In the Spring Festival of 2004, the content of this forum has a vulnerability on the website of the website, and a picture is pasted.
2. Procedure to handle the problem: first I think that there is a Windows 2000 vulnerability, so I will delete this content first, then reinstall the upgrade patch for the Windows 2000 server, complete a stricter security settings and replace the full package. I thought it would be uncomfortable, but I haven't aggravated a few days, the bulletin board will have a hacker's warning "Your vulnerability still exists, I can tell you the question, but as the source code that I want your website". "
3. Invasion Principle: Of course, it will not be easy to say. After receiving the information, I finally discovered that the original vulnerability was "single injection" in SQL fatal. The intact principle is as follows: When the user password authentication is managed in the website background, if the user enters "Everybody" in the "UserID" input box, enter "Anything 'OR 1 =' 1" in the password box, the query SQL statement changes It became: SELECT from user where username = 'Everyboby' AND password = 'Anything' OR 1 = '1'. It is not difficult to see that since "1 = '1'" is a constant condition, it is judged to return to "true", the limited shaper of Password is the same, regardless of the user's password is anything, he can log in remotely with everybody, get Background management issues any information in the announcement column.
4. Solution: Shield single quotation marks with Replace function.
Select from user where username = '&& replace (Request.form ("UserID"),', ") && 'and password =' &&r (Request.form)
("Pass"), ', ") &&
Returned
With the first time I was invaded, I have been uneasy in my heart in a few weeks, but I still have happened.
1. Invasion: One day, suddenly discovered that the homepage file and database part of the database were deleted, and the trace of invasion was the same hacker.
2. Process processing: First check the system log, SQL log, no clues to find value, use X-Scan, Mark Mark Star and Rising anti-virus software to scan, system no serious security vulnerabilities, So the problem is to find a dilemma. Fortunately, the website has a complete backup data, and finally can only restore the normal operation of the website. In the process of managing uploading files in the background by a week later, it was found that someone has launched the operation traces of three files on CMD.asp, Mun.asp, and 1.BAT, time for the first invasion. However, these three files can't be found on the machine hard disk. This is a Trojan. It is clear that this hacker is more professional. After the intrusion is completed, he cleales the battlefield, but it is still leaving clues in the website upload record, otherwise the administrator is not Awareness. 3. Intrusion principle: cmd.asp, mun.asp is a Trojan. After reading a lot of information, this type of Trojan is an ASP Trojan, a kind of ASP Trojan, which is famous, Horse, which is copied to the website. Under the directory, the far end can easily control the computer to perform any operations on the web interface as long as you open the ASP file with the IE browser. I downloaded an ASP Trojan on the Internet. The simulation test, the function is very powerful, can implement remote file upload download, delete, user add, file modification, and program remote execution. 1.bat file is a batch file, and the content is written to a set of programs as needed to implement automatic execution on the remote computer. Obviously, this Trojan is put on the first invasion of hackers. Once the network administrator does not press his requirements, it can easily implement the attack again.
4. Solution: To prevent still hidden Trojans, make sure that there is no loss, I reinstall the Windows2000 system, and replace the full username, password.
The third invasion analysis
1. Invasion: In October 2004, the website was again invaded. This day, I suddenly discovered a picture news in the picture news section, I replaced the old content last year. When the client clicked on the news photo, the Rising anti-virus monitoring system alarms discovered that the virus, obviously the website has been invaded and implanted with a virus Picture, this is a Trojan virus with picture file format as a cover, once the user clicks on the picture, the virus is implanted in the C: / Windows / TempoRNET Files directory, this is a vicious hacker intrusion event, from its technique It is another hacker.
2. Process processing: With the lesson of the previous two invasion, I developed the habit of understanding the security vulnerability information of the system, and regularly perform system Update, so the possibility of using the system vulnerability is not large. The picture is placed in the SQL database, which means that hackers use the website background management function to upload, and this requires legal user passwords. The username and password I set is not easy to crack. There is only one way, that is, hackers get a backend management user name and password in a SQL database table through a specific way. With this idea, I have studied a lot of relevant information on the Internet, and finally the attack is "SQL injection invasion".
3. Invasion Principle: The principle of SQL injection is that the client submits special code from the normal WWW port, using the returned error prompt, collects the information and server information, thereby obtaining the information you want.
4. Solution: Add a display statement "On Error ResMe next" that turns off SQL error information before the "Select * from" statement of the database form content is extracted in the ASP program.
ON Error ResMe next
Rs.open "SELECT from xinwen where xw_id =" && request.queryString ("xw_id"), conn, 1, 3 ------------------------------------------------------------------------------------------------------ -------------------------------------------------- --------
