1. General situation
With the advent of the global information age, network has become the fifth largest sovereign space of a country after land, sea, air and space. Controlling network space can control a country's economic lifeline, political orientation and social stability. The competition among countries around the world about the right of development, dominant power and control of cyberspace is becoming increasingly fierce. Cyberspace is rapidly evolving into a new field of strategic deterrence and control, a new platform for ideological struggle, a new position for maintaining economic and social stability, and a new field for future military competition. Network security is related to national security. It plays an important role in the strategic, comprehensive and fundamental position. As a developing network country, the situation of network security in China is very severe.
The outbreak of wannacry blackmail virus has ravaged the global network system, causing great panic among enterprises and institutions in various countries. And the most serious victim is Windows system, which is naturally locked as the suspect. Some people think that it is because of the system's numbness and omission to the loopholes that led to the spread of blackmail virus. But domestic colleges and universities have not been spared, because each school has different specialties, so there are many sub-systems, and a loophole in each system is a security threat to the whole campus network.
2. The importance of campus system security
Campus Internet application system contains a large number of personal information of students, including course selection information, identity information, class information, credit and other related content, so such information is closely related to students themselves. It also has value in the black industry operators. Due to the trend of interest chain, many people are often tempted by the interest and take the risk to obtain relevant information, so as to make illegal sales, resulting in the loss of students' interests. Since the tragedy of Xu Yuyu, the importance of the campus system has become the most important and can not be ignored.
3. Statistical content
In order to see more intuitively the website security of colleges and universities in a certain region, we selected 22 colleges and universities in a certain city for data analysis, and made site application scanning and port scanning tests on these 22 colleges and universities portal websites respectively, to see whether the website deployed security equipment to prevent scanning at the border, and whether the server opened the non security port.
4. Statistical conclusion analysis
4.1 vulnerability statistics
Through data analysis, it is found that most websites have deployed security devices on their borders and opened corresponding protection strategies to effectively resist illegal attacks from outside:
Most systems have opened 21ftp port and database ports 3306 and 1521, and they have not been restricted. Malicious attackers can crack the port to obtain relevant permissions, and can also carry out power lifting processing, obtain server permissions, and make relevant modifications to the website content.
This paper collects the logs of violent attack in Colleges and universities of a city. It shows that malicious attackers use multiple different proxy IP addresses to attack. Proxy IP address has become a very common way of using malicious attackers, which can effectively hide the identity of attackers and bring some trouble to traceability.
From the analysis of vulnerability statistics, it is found that most of the systems in this spot check do not have injection, XSS and other common high-risk vulnerabilities, indicating that the source code and border security equipment have been effectively protected, resulting in the reduction of conventional code layer vulnerabilities. However, the referenced plug-ins, such as JavaScript library, middleware, keditor editor, and struts 2 plug-ins, have not been upgraded and maintained in a timely manner. Once there is a problem with the external plug-in, it will also pose a huge threat to the system, such as the well-known Java deserialization vulnerability, struts 2 related vulnerabilities and so on.
4.2 analysis of attacker's malicious behavior
When the malicious attacker obtains the permission of the relevant server, he will upload the shell, modify the file, hang the malicious link and other operations. According to the statistics of malicious events in Colleges and universities in a city, most of the school websites have experienced database deletion, file modification, dark chain and other related operations.
The so-called dark chain refers to the webshell that obtains the search engine weight or the website with high PR through various website program vulnerabilities, and then links its own website on the hacked website. Its nature is consistent with that of the bright chain, which is to improve the ranking for high efficiency. The homepage of a government unit's website is added with malicious links:
The puppet machine is also called the chicken, which is controlled by the hacker remotely. When hackers attack others through hacker software, the virus will open a back door in the system, which is convenient for hackers to control or operate your computer when necessary. Hackers can use it to attack other machines. A malicious attacker installs Socks5 proxy server for remote manipulation.
The remote control Trojan calls the system to call sys_readlink() to read / proc / self / exe to get the file path,
Test whether the network is unblocked by connecting to 8.8.8.8, and connect to the Internet normally, so as to be ready to accept commands from malicious attackers
Malicious attackers can also upload a large number of malicious back door shells, which can be remotely connected to the shell for server control, and can add, delete, modify and check the relevant files on the server
5. Preventive measures
To sum up, security is not a single link, but a link. Problems in each link are a huge threat to the application. In the development process, we should filter everywhere, restrict the user's input and output. When referencing external plug-ins, we should select the latest plug-ins without vulnerability, update them frequently in the later operation and maintenance, make up for the new vulnerabilities in time, and protect the system security. With the diversity and flexibility of attack methods, in order to enhance the security of the server, the following precautions are recommended:
a) Regularly patrol the server files, especially the key directories such as etc, TMP, usr, etc., and check the modification time and the specific contents of the files to determine whether they have been maliciously modified;
b) The log logs under Apache and var / log of the server should be checked regularly to see whether the logs are abnormal. If there is an exception, the logs should be backed up in time to prevent the logs from being overwritten. The logs can also be retained by deploying a third-party log server;
c) Regularly scan the server files to see if there is a web Trojan horse, so as to check and kill in time and prevent the trouble in advance.
d) Security devices are deployed on the border and reasonable and effective policies are set to intercept illegal requests and record the content of external requests, which is convenient for later attack traceability.
Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.
For more Tide security teams, please pay attention to the official website of the team: http://www.TideSec.net or official account No.