With the advancement of the educational informatization process, various educational websites have emerged in large numbers. Since most educational websites are small websites developed and managed by school computer teachers themselves, they usually have problems with insufficient equipment, technology and professional staff. The website itself has loopholes and often becomes the target of hacker attacks, which seriously affects the development of normal business. Here, the author hopes to analyze the common intrusion methods and means of hackers through the analysis of the three hacker intrusions encountered by educational websites.
The first time I encountered an invasion
1. Intrusion phenomenon: During the Spring Festival in 2004, a content like "There is a loophole in this forum, please fix it" suddenly appeared on the bulletin board of the website, and a picture was pasted.
2. Process of handling the problem: The first thing I thought was that there was a Windows 2000 vulnerability, so I deleted this content first, and then reinstalled the upgrade patch for the Windows 2000 server, completed stricter security settings and replaced the full set of passwords. I thought I could rest assured, but a few days later, a hacker warned again on the bulletin board, "Your vulnerability still exists. I can tell you the problem, but in return I want the source code of your website."
3. Intrusion principle: Of course, I will not submit easily. After checking the information, I found that the vulnerability was SQL's fatal "single quote injection". The intrusion principle is as follows: When managing user password authentication on the website background management login page, if the user enters "Everybody" in the "UserID" input box and enters "anything' or 1='1" in the password box, the query SQL statement becomes: Select from user where username='everyboby' and password='anything' or 1='1'. It is not difficult to see that since "1='1'" is a condition that always holds true, and the judgment that the return is "true", Password's restrictions are useless. Regardless of whether the user's password is Anything or not, he can log in remotely as Everybody, obtain background management rights, and publish any information in the bulletin board.
4. Solution: Use the replace function to block single quotes.
select from user where username='&&replace(("UserID"),',")&&' and password=' &&replace(
("Pass"),',")&&
Being invaded again
After the first time I was invaded, I was uneasy for weeks afterwards, but unfortunately it happened.
1. Intrusion phenomenon: One day, I suddenly found that the homepage file and some data of the database of the website were deleted. The analysis of the traces of the intrusion was done by the same hacker.
2. Process of problem handling: First, check the system logs and SQL logs, and no clues of value were found. The system vulnerability scanning tools provided by X-Scan, * and Rising antivirus software were used to scan. The system did not have serious security vulnerabilities, so the problem search was in trouble. Fortunately, the website had complete backup data, and in the end, it could only restore the normal operation of the website first. Coincidentally, during the process of uploading files through the background management one week later, I found that someone had uploaded and operated traces of three files, and the time was during the first intrusion. However, these three files can no longer be found on the machine's hard drive. This is a * program. Obviously, this hacker is more professional. After the intrusion is completed, he cleaned up the battlefield himself, but he still left clues in the website upload record, otherwise the administrator would have no way to know.
3. Intrusion principle: It is a * program. After reading a large amount of information, it shows that this * is an ASP *. It is a famous ASP * at the top of Haiyang. Once this * is copied to the virtual directory of the website, the remote side can easily control the computer to perform any operations on the web interface as long as it opens the ASP file with the IE browser. I downloaded an ASP * online and tested it in a simulation. Its functions are very powerful and can realize remote file upload, download, delete, user addition, file modification and program remote execution. The file is a batch file, and the content is written into a set of program execution commands as needed to automatically execute on a remote computer. Obviously, this * was put on when the hacker first invaded. Once the network administrator fails to submit to his requirements, he can easily carry out the attack again.
4. Solution: In order to prevent the hidden *s and ensure that there are no accidents, I reinstalled the Windows 2000 system and replaced the full set of usernames and passwords.
Analysis of the third invasion
1. Invasion phenomenon: In October 2004, the website was invaded again. On this day, I suddenly found a picture news in the picture news column was replaced by an old content last year. When the client clicked on the news picture, Rising anti-virus monitoring system called the alarm and found the virus. It was obvious that the website had been hacked and a picture with a virus was implanted. This is a * virus that covers the image file format. Once the user clicked on the picture, the virus was implanted in the C:\Windows\Temporary Internet Files directory. This was a vicious hacker invasion incident. From the perspective of its method, it was done by another hacker.
2. Process of problem handling: With the lessons learned from the first two intrusions, I have developed the habit of frequently understanding information about system security vulnerabilities and regularly perform system UPDATE, so it is unlikely to exploit system vulnerabilities to intrude. The pictures placed are placed in the SQL database, which means that the hacker has used the website backend management function to upload images, which requires a legal user password. The username and password I set are not easy to crack, so there is only one way, that is, the hacker gets the background management username and password placed in the SQL database table in a specific way. With this idea, I studied a lot of relevant materials on the Internet and finally locked the attack this time as "SQL injection intrusion".
3. Intrusion principle: The principle of SQL injection is that the client submits special code from a normal WWW port, and uses the returned error prompt to collect information from the program and server to obtain the desired information.
4. Solution: Add a display statement "on error resume next" to close SQL error information before the "select * from" statement in which the ASP program extracts the database form content, such as
on error resume next
"select from xinwen where xw_xw_id"),conn,1,3
The first time I encountered an invasion
1. Intrusion phenomenon: During the Spring Festival in 2004, a content like "There is a loophole in this forum, please fix it" suddenly appeared on the bulletin board of the website, and a picture was pasted.
2. Process of handling the problem: The first thing I thought was that there was a Windows 2000 vulnerability, so I deleted this content first, and then reinstalled the upgrade patch for the Windows 2000 server, completed stricter security settings and replaced the full set of passwords. I thought I could rest assured, but a few days later, a hacker warned again on the bulletin board, "Your vulnerability still exists. I can tell you the problem, but in return I want the source code of your website."
3. Intrusion principle: Of course, I will not submit easily. After checking the information, I found that the vulnerability was SQL's fatal "single quote injection". The intrusion principle is as follows: When managing user password authentication on the website background management login page, if the user enters "Everybody" in the "UserID" input box and enters "anything' or 1='1" in the password box, the query SQL statement becomes: Select from user where username='everyboby' and password='anything' or 1='1'. It is not difficult to see that since "1='1'" is a condition that always holds true, and the judgment that the return is "true", Password's restrictions are useless. Regardless of whether the user's password is Anything or not, he can log in remotely as Everybody, obtain background management rights, and publish any information in the bulletin board.
4. Solution: Use the replace function to block single quotes.
select from user where username='&&replace(("UserID"),',")&&' and password=' &&replace(
("Pass"),',")&&
Being invaded again
After the first time I was invaded, I was uneasy for weeks afterwards, but unfortunately it happened.
1. Intrusion phenomenon: One day, I suddenly found that the homepage file and some data of the database of the website were deleted. The analysis of the traces of the intrusion was done by the same hacker.
2. Process of problem handling: First, check the system logs and SQL logs, and no clues of value were found. The system vulnerability scanning tools provided by X-Scan, * and Rising antivirus software were used to scan. The system did not have serious security vulnerabilities, so the problem search was in trouble. Fortunately, the website had complete backup data, and in the end, it could only restore the normal operation of the website first. Coincidentally, during the process of uploading files through the background management one week later, I found that someone had uploaded and operated traces of three files, and the time was during the first intrusion. However, these three files can no longer be found on the machine's hard drive. This is a * program. Obviously, this hacker is more professional. After the intrusion is completed, he cleaned up the battlefield himself, but he still left clues in the website upload record, otherwise the administrator would have no way to know.
3. Intrusion principle: It is a * program. After reading a large amount of information, it shows that this * is an ASP *. It is a famous ASP * at the top of Haiyang. Once this * is copied to the virtual directory of the website, the remote side can easily control the computer to perform any operations on the web interface as long as it opens the ASP file with the IE browser. I downloaded an ASP * online and tested it in a simulation. Its functions are very powerful and can realize remote file upload, download, delete, user addition, file modification and program remote execution. The file is a batch file, and the content is written into a set of program execution commands as needed to automatically execute on a remote computer. Obviously, this * was put on when the hacker first invaded. Once the network administrator fails to submit to his requirements, he can easily carry out the attack again.
4. Solution: In order to prevent the hidden *s and ensure that there are no accidents, I reinstalled the Windows 2000 system and replaced the full set of usernames and passwords.
Analysis of the third invasion
1. Invasion phenomenon: In October 2004, the website was invaded again. On this day, I suddenly found a picture news in the picture news column was replaced by an old content last year. When the client clicked on the news picture, Rising anti-virus monitoring system called the alarm and found the virus. It was obvious that the website had been hacked and a picture with a virus was implanted. This is a * virus that covers the image file format. Once the user clicked on the picture, the virus was implanted in the C:\Windows\Temporary Internet Files directory. This was a vicious hacker invasion incident. From the perspective of its method, it was done by another hacker.
2. Process of problem handling: With the lessons learned from the first two intrusions, I have developed the habit of frequently understanding information about system security vulnerabilities and regularly perform system UPDATE, so it is unlikely to exploit system vulnerabilities to intrude. The pictures placed are placed in the SQL database, which means that the hacker has used the website backend management function to upload images, which requires a legal user password. The username and password I set are not easy to crack, so there is only one way, that is, the hacker gets the background management username and password placed in the SQL database table in a specific way. With this idea, I studied a lot of relevant materials on the Internet and finally locked the attack this time as "SQL injection intrusion".
3. Intrusion principle: The principle of SQL injection is that the client submits special code from a normal WWW port, and uses the returned error prompt to collect information from the program and server to obtain the desired information.
4. Solution: Add a display statement "on error resume next" to close SQL error information before the "select * from" statement in which the ASP program extracts the database form content, such as
on error resume next
"select from xinwen where xw_xw_id"),conn,1,3