Dedecms has always been a popular website building cms, mainly thanks to the strong support of the two webmaster networks; However, there are many people who are angry. If cms is too angry, it will also be watched by people with ulterior motives. My website has been using dedecms. Recently, it was attacked again. The purpose of the attack is very simple, that is, the black chain. After knowing that the code was slightly modified, it was recovered, not very serious; During this period, the website has been uploaded files inexplicably again. Similar to the previous time, although the other party has not yet had time to modify the website template, this indicates that the website security prevention has not been in place, and the other party may obtain administrator permissions again at any time, so special attention should be paid to the website security prevention measures.
Because I prefer to search for the root cause, I went to the Internet to find relevant information, and found that this is indeed a vulnerability of dedecms. Hackers can use multi-dimensional variables to bypass regular detection. The vulnerability mainly occurs in/plus/mytag_js.php. The principle is to prepare a MySQL database to attack the database of known websites by writing a sentence of code to the database, As long as it is successfully written, these codes can be used to obtain background administrator permissions in the future.
According to the experience of my website being attacked and others' similar experience, the files written by hackers mainly exist in the/plus/folder. At present, several known files include ga.php, log.php, b.php, b1.php, etc. The file is characterized by short size, little content, and it may not be convenient to write at the time, but these codes are really useful.
Here are some codes in the ga.php file:
<title>login</title>no<? php
?>
<title>login</title>no<? php
?>
<title>login</title>no<? php
The actual code is longer than the one intercepted above, but it is a duplication of this code. As for the log.php code, it is similar to this one, with only one sentence, simple and clear. If you have a little knowledge of network security, you will know that it is a PHP trojan. You can use some specified tools to execute this code. It is expected to be a password cracking function.
Now that we know what kind of vulnerability the other party uses and what principle the other party uses to exploit the vulnerability, how can we prevent these dangerous things from happening? After consulting a large amount of information, I preliminarily sorted out the following steps to prevent vulnerability from being exploited, hoping to help webmaster friends who also apply to dedecms.
1、 Patch the upgraded version and set directory permissions
This is the official solution to this problem. No matter what version of dedecms you use, you should upgrade the version in the background in time to automatically update the patch. This is the most important step to avoid the vulnerability being exploited; At the same time, the official also provides the method of setting the directory, mainly setting data, templets, uploads, and a as read-write and non executable permissions; Include, member, plus, background management directory, etc. are set to executable, readable and non writable permissions; Delete the install and special directories. See the official instructions for specific settings.
2、 Modify admin account and password
Hackers may use the default admin account and then speculate about the password to crack it, so it is very important to modify the default admin account. As for how to modify it, there are many methods. It is more effective to log in to the website database with phpadmin, find the dede_admin database table (dede is the prefix of the database table), and modify the userid and pwd, The password must be changed to f297a57a5a743894a0e4, which is the default password admin; After modification, go to the background to log in, and change the password after logging in to the background.
3、 Other noteworthy points
As for more details, we should also pay attention not to choose too cheap space as far as possible. Too cheap space is prone to security problems of the server itself. As long as the server has problems, the entire website under the server will be hopeless. Also, if it is unnecessary, try not to open membership registration, which is troublesome to use; As for the background directory of the website, do not write it in robots. txt. At the same time, change it at least once a month. The administrator password and other passwords should also be changed to avoid being speculated to be the same as other account passwords.
After several instances of websites being attacked, I have to say that the Internet is not a network that can sleep in peace. As a webmaster, one who weaves the web should pay more attention to network security; As long as these preventive measures are taken as required, not to mention 100%, at least 95% of them may not be able to successfully obtain background permissions.
