search

Home  >  Q&A  >  body text

php - The website is attacked and more member data will be released every day.

In the past few days, we have discovered that our website suddenly has a lot of members. These members are all similar, but members can only be added through the backend system. They will still appear after changing the backend password. There is no operation information in the backend operation log.
There is no company field among the fields that can be added in the background, so it is not clear how it was attacked.
Here is the injected data:

Here is the membership data of the website:

高洛峰高洛峰2777 days ago573

reply all(10)I'll reply

  • PHPz

    PHPz2017-05-16 13:06:56

    First, check the firewall. If the website has no special port requirements, just open 80. Like 3306, 22, etc., only the company's internal network can be accessed.

    Second, change all passwords for database, backend, etc. (the password should be longer, uppercase and lowercase, and have special symbols).

    Third, if the backend only needs to be accessible by the company, try to hide the URL as much as possible. Also do a test (i.e., only allow the company’s network to be accessed in the background)

    Fourth, if there is a member registration at the front desk, make sure there is a verification code and security check (that is, for the same IP, there must be a gap in the time between member registrations)

    Make sure that after completing the above, let the programmer check the system logs, database logs, program logs... and whether there are any loopholes in the program code

    reply
    0
  • 某草草

    某草草2017-05-16 13:06:56

    Add a verification code when registering!

    reply
    0
  • 迷茫

    迷茫2017-05-16 13:06:56

    Get your database address + account number + password directly, and then directly operate your database. See, is it easier?

    reply
    0
  • PHPz

    PHPz2017-05-16 13:06:56

    Check the operation log of mysql, if it is not enabled, enable it and wait.

    reply
    0
  • 巴扎黑

    巴扎黑2017-05-16 13:06:56

    It may be a SQL injection attack. Even if you change the SQL password, you still need to configure the correct password in the production environment. If you don’t modify the SQL vulnerability, he can still inject some data and replace all SQL statements with PDO:: Write the prepare parameter binding method, and then observe whether the problem is solved. In addition, if the system is used internally, it should not be opened to the external network and accessed through internal IP.

    reply
    0
  • PHPz

    PHPz2017-05-16 13:06:56

    Bind Baidu Cloud Observation. Then the database account must be bound to IP
    Sql injection and check to see if there is some form that has not been processed

    reply
    0
  • 習慣沉默

    習慣沉默2017-05-16 13:06:56

    It would be much better to add a verification, but some also do verification identification, then you can also do IP restrictions. If an IP operates too frequently, limit the operation of this IP! Of course, experts can also keep changing IP attacks, it depends on how valuable your website is!

    reply
    0
  • 伊谢尔伦

    伊谢尔伦2017-05-16 13:06:56

    Check the mysql log and see the operation records

    reply
    0
  • 漂亮男人

    漂亮男人2017-05-16 13:06:56

    Check the log first to determine where the writing point is.

    reply
    0
  • 滿天的星座

    滿天的星座2017-05-16 13:06:56

    Is your database isolated?

    We were also attacked. The SMS sending interface was constantly requested without verification before, which directly caused our SMS service to become unusable

    reply
    0
  • Cancelreply