CN110602091A - Method for realizing website updating by modifying network data packet - Google Patents
Method for realizing website updating by modifying network data packet Download PDFInfo
- Publication number
- CN110602091A CN110602091A CN201910861575.5A CN201910861575A CN110602091A CN 110602091 A CN110602091 A CN 110602091A CN 201910861575 A CN201910861575 A CN 201910861575A CN 110602091 A CN110602091 A CN 110602091A
- Authority
- CN
- China
- Prior art keywords
- website
- port
- destination port
- network data
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention relates to a method for realizing website updating by modifying a network data packet. The arbitration system changes the port of the request network data packet of the administrator IP into the port of the high-authority process, but the request of the non-administrator IP reaches the low-authority website process without change, so that when an illegal user tries to update the website in any way, the authority of the low-authority process where the related request is located cannot write the website catalog, and the illegal update cannot be executed; when the administrator user tries to update the website, the high-permission process where the related request is located has enough permission to write the website directory or the backup directory, and then the website is updated successfully. The invention ensures that the illegal user can not update and falsify the website content, and improves the safety of updating the website.
Description
Technical Field
The invention belongs to the field of information security software, and particularly relates to a method for realizing website updating by modifying a network data packet.
Background
After the website is released, the website is also updated to maintain the amount of access, SEO optimization, etc.
Generally, a website has a management background which is verified by a user name and a password, and anyone can update the website after mastering the user name and the password of the website management background.
If the user name and the password of the website management background are leaked due to various reasons, the website is illegally updated, and the condition of 'website is blacked out' occurs.
Moreover, a hacker can implant a backdoor (webshell) in a website directory through an attack mode such as SQL injection to bypass a website management background, and then illegally update the website through the webshell.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provides a method for updating a website by modifying a network data packet.
In order to achieve the purpose, the technical scheme of the invention is as follows: a method for realizing website update by modifying network data packets comprises the following steps:
step S1, an arbitration system is set up, the arbitration system having:
capturing and modifying the push network data packet: modifying a destination port of the push network data packet according to the source IP and the destination port;
capturing and modifying the pop network data packet: modifying the source port of the pop network data packet according to the source port;
step S2, configuring the arbitration system:
and (3) source IP: setting an administrator IP;
destination port: setting as a port of a low-permission process;
the new destination port: setting as a port of a high-authority process;
step S3, when an illegal user or administrator tries to update the site, a request is sent to the arbitration system;
step S4, when the arbitration system receives the network data packet:
for a push network packet: if the source IP is the same as the source IP configured in step S2 and the destination port is the same as the destination port configured in step S2, modifying the destination port to be the new destination port configured in step S2; otherwise, the destination port is not modified;
for a pop network packet: if the source port is the same as the new destination port configured in step S2, the source port is modified to the destination port configured in step S2.
In an embodiment of the present invention, the high-permission process is a process P3 and a process P4, the low-permission process is a process P2, the processes P2, P3 and P4 are all website systems, initially, the contents and data of the processes P2, P3 and P4 are completely consistent, and the processes P2 and P3 correspond to the same website directory; the process P4 corresponds to the backup catalog, and the backup catalog is copied from the website catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; process P4 writes the update website operation to the backup directory and then updates the file synchronization to the website directory through file synchronization.
In one embodiment of the invention, there is at least one of process P3 and process P4.
In an embodiment of the present invention, in step S1, the arbitration system uniformly skips processing on network packets that do not conform to the modification rule.
Compared with the prior art, the invention has the following beneficial effects: the invention provides a method for realizing website updating by modifying a network data packet, which changes a port of a request network data packet of an administrator IP into a port of a high-authority process through an arbitration system, but the request of the non-administrator IP reaches a low-authority website process intact, so that when an illegal user tries to update a website in any way, the authority of the low-authority process where the related request is located cannot write in a website directory, and illegal updating cannot be executed; when the administrator user tries to update the website, the high-permission process where the related request is located has enough permission to write the website directory or the backup directory, and then the website is updated successfully. Therefore, even if the user name and the password of the website management background are leaked, the illegal user cannot forge the IP of the administrator, and the related request is sent to the low-authority process, so that the illegal user still cannot update and tamper the website content, and the safety of updating the website is improved.
Drawings
Fig. 1 is a flow chart illustrating a method for updating a website by modifying a network data packet according to the present invention.
Detailed Description
The technical scheme of the invention is specifically explained below with reference to the accompanying drawings.
As shown in fig. 1, the method for updating a website by modifying a network data packet according to the present invention is implemented as follows:
(1) an arbitration system is set up, and the arbitration system has the following 2 functions:
1) capturing and modifying the push network data packet: modifying a destination port of the push network data packet according to the source IP and the destination port;
2) capturing and modifying the pop network data packet: modifying the source port of the pop network data packet according to the source port;
and uniformly skipping and not processing the network data packets which do not accord with the modification rule.
(2) Configuring the arbitration system of step (1):
and (3) source IP: setting as administrator IP;
destination port: set to the port of the low-authority process (website system) (for example, port x of process P2);
the new destination port: setting as the port of high-authority process (website system) (for example, port y of process P3 or port z of process P4);
(3) at a certain moment, an illegal user or an administrator tries to update the site (the request website and the port are all completely consistent), and the request reaches the arbitration system in the step (1).
(4) When the arbitration system in the step (1) receives a network data packet:
if the data packet is a push network data packet: if the source IP is the same as the source IP configured in the step (2) and the destination port is the same as the destination port configured in the step (2) (for example, port x of the process P2), the destination port is modified to be the new destination port configured in the step (2) (for example, port y of the process P3 or port z of the process P4).
If the data packet is a pop network data packet: and (3) if the source port is the same as the new destination port configured in the step (2), modifying the source port into the destination port configured in the step (2).
(5) The processes P2, P3 and P4 are all website systems, the content and data of the 3 website systems are completely consistent initially, and the backup catalog is copied from the website catalog. In particular: the process P2 and the process P3 correspond to the same website directory; process P4 corresponds to the backup catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; the process P4 writes the update website operation into the backup directory, and then synchronously updates the files to the website directory through file synchronization; the processes P3 and P4 may exist simultaneously or only one of them may exist.
In the invention, the network data packet port requested by the IP of the administrator is modified by the arbitration system: the port of the request network data packet of the administrator IP is changed to the port of the high-authority process (website system) (such as the port y of the P3 process shown in fig. 1 or the port z of the P4 process), but the request of the administrator IP reaches the low-authority website process (such as the P2 process shown in fig. 1) as it is, so when an illegal user tries to update the website by any means (including but not limited to webshell), the authority possessed by the low-authority process P2 (shown in fig. 1) where the relevant request is located cannot write into the website directory, and thus cannot perform illegal updating. When the administrator user tries to update the website, the high-authority process P3 or P4 in which the related request is located has enough authority to write to the website directory or the backup directory, so as to successfully update the website.
Therefore, even if the user name and the password of the website management background are leaked, the illegal user cannot forge the IP of the administrator, and the related request is forwarded to the low-authority process, so that the illegal user still cannot update and tamper the website content, and the safety of updating the website is improved.
The above are preferred embodiments of the present invention, and all changes made according to the technical scheme of the present invention that produce functional effects do not exceed the scope of the technical scheme of the present invention belong to the protection scope of the present invention.
Claims (4)
1. A method for realizing website update by modifying network data packets is characterized by comprising the following steps:
step S1, an arbitration system is set up, the arbitration system having:
capturing and modifying the push network data packet: modifying a destination port of the push network data packet according to the source IP and the destination port;
capturing and modifying the pop network data packet: modifying the source port of the pop network data packet according to the source port;
step S2, configuring the arbitration system:
and (3) source IP: setting an administrator IP;
destination port: setting as a port of a low-permission process;
the new destination port: setting as a port of a high-authority process;
step S3, when an illegal user or administrator tries to update the site, a request is sent to the arbitration system;
step S4, when the arbitration system receives the network data packet:
for a push network packet: if the source IP is the same as the source IP configured in step S2 and the destination port is the same as the destination port configured in step S2, modifying the destination port to be the new destination port configured in step S2; otherwise, the destination port is not modified;
for a pop network packet: if the source port is the same as the new destination port configured in step S2, the source port is modified to the destination port configured in step S2.
2. The method as claimed in claim 1, wherein the high-rights processes are process P3 and process P4, the low-rights processes are process P2, process P2, process P3 and process P4 are all website systems, initially, the contents and data of process P2, process P3 and process P4 are completely consistent, and process P2 and process P3 correspond to the same website directory; the process P4 corresponds to the backup catalog, and the backup catalog is copied from the website catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; process P4 writes the update website operation to the backup directory and then updates the file synchronization to the website directory through file synchronization.
3. The method of claim 2, wherein at least one of the process P3 and the process P4 exists.
4. The method of claim 1, wherein in step S1, the arbitration system uniformly skips no processing for network packets that do not conform to the modification rule.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910861575.5A CN110602091A (en) | 2019-09-12 | 2019-09-12 | Method for realizing website updating by modifying network data packet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910861575.5A CN110602091A (en) | 2019-09-12 | 2019-09-12 | Method for realizing website updating by modifying network data packet |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110602091A true CN110602091A (en) | 2019-12-20 |
Family
ID=68858932
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910861575.5A Withdrawn CN110602091A (en) | 2019-09-12 | 2019-09-12 | Method for realizing website updating by modifying network data packet |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110602091A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111931108A (en) * | 2020-07-31 | 2020-11-13 | 福建深空信息技术有限公司 | Safety net station updating method and system |
-
2019
- 2019-09-12 CN CN201910861575.5A patent/CN110602091A/en not_active Withdrawn
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111931108A (en) * | 2020-07-31 | 2020-11-13 | 福建深空信息技术有限公司 | Safety net station updating method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10505988B2 (en) | System and method for secure synchronization of data across multiple computing devices | |
RU2408069C2 (en) | Coordinated authority | |
EP3028489B1 (en) | Centralized selective application approval for mobile devices | |
US8549326B2 (en) | Method and system for extending encrypting file system | |
US7987496B2 (en) | Automatic application of information protection policies | |
US10354068B2 (en) | Anonymized application scanning for mobile devices | |
CN107111724A (en) | Protect the data in untrusted equipment | |
US9917862B2 (en) | Integrated application scanning and mobile enterprise computing management system | |
JP2007128205A (en) | Confidential file protection method | |
JP2010128824A (en) | Client control system utilizing policy group identifier | |
CN105183504A (en) | Software server based process white-list updating method | |
CN104348914A (en) | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method | |
CN105224832A (en) | A kind of method of License authorization set management | |
CN110443050B (en) | Method and system for processing counterfeit process in file transparent encryption and decryption system | |
CN110046205B (en) | Relational database row security access control method and system | |
CN110602092B (en) | Method for only allowing designated IP to update website based on process forwarding | |
CN111427897A (en) | Data storage management method on block chain | |
CN110602091A (en) | Method for realizing website updating by modifying network data packet | |
EP2341458B1 (en) | Method and device for detecting if a computer file has been copied | |
US7908252B1 (en) | System and method for verifying paths to a database | |
CN105653932A (en) | Software upgrading validation method and device | |
CN107332840B (en) | Intelligent authority management system and method | |
JP2002149494A (en) | Access control method and access controller, and recording medium | |
CN109995735A (en) | Downloading and application method, server, client, system, equipment and medium | |
CN114584318A (en) | Access control method of certificate and secret key, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20191220 |
|
WW01 | Invention patent application withdrawn after publication |