CN110602091A - Method for realizing website updating by modifying network data packet - Google Patents

Method for realizing website updating by modifying network data packet Download PDF

Info

Publication number
CN110602091A
CN110602091A CN201910861575.5A CN201910861575A CN110602091A CN 110602091 A CN110602091 A CN 110602091A CN 201910861575 A CN201910861575 A CN 201910861575A CN 110602091 A CN110602091 A CN 110602091A
Authority
CN
China
Prior art keywords
website
port
destination port
network data
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910861575.5A
Other languages
Chinese (zh)
Inventor
陈道恭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Deep Space Information Technology Co Ltd
Original Assignee
Fujian Deep Space Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Deep Space Information Technology Co Ltd filed Critical Fujian Deep Space Information Technology Co Ltd
Priority to CN201910861575.5A priority Critical patent/CN110602091A/en
Publication of CN110602091A publication Critical patent/CN110602091A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention relates to a method for realizing website updating by modifying a network data packet. The arbitration system changes the port of the request network data packet of the administrator IP into the port of the high-authority process, but the request of the non-administrator IP reaches the low-authority website process without change, so that when an illegal user tries to update the website in any way, the authority of the low-authority process where the related request is located cannot write the website catalog, and the illegal update cannot be executed; when the administrator user tries to update the website, the high-permission process where the related request is located has enough permission to write the website directory or the backup directory, and then the website is updated successfully. The invention ensures that the illegal user can not update and falsify the website content, and improves the safety of updating the website.

Description

Method for realizing website updating by modifying network data packet
Technical Field
The invention belongs to the field of information security software, and particularly relates to a method for realizing website updating by modifying a network data packet.
Background
After the website is released, the website is also updated to maintain the amount of access, SEO optimization, etc.
Generally, a website has a management background which is verified by a user name and a password, and anyone can update the website after mastering the user name and the password of the website management background.
If the user name and the password of the website management background are leaked due to various reasons, the website is illegally updated, and the condition of 'website is blacked out' occurs.
Moreover, a hacker can implant a backdoor (webshell) in a website directory through an attack mode such as SQL injection to bypass a website management background, and then illegally update the website through the webshell.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provides a method for updating a website by modifying a network data packet.
In order to achieve the purpose, the technical scheme of the invention is as follows: a method for realizing website update by modifying network data packets comprises the following steps:
step S1, an arbitration system is set up, the arbitration system having:
capturing and modifying the push network data packet: modifying a destination port of the push network data packet according to the source IP and the destination port;
capturing and modifying the pop network data packet: modifying the source port of the pop network data packet according to the source port;
step S2, configuring the arbitration system:
and (3) source IP: setting an administrator IP;
destination port: setting as a port of a low-permission process;
the new destination port: setting as a port of a high-authority process;
step S3, when an illegal user or administrator tries to update the site, a request is sent to the arbitration system;
step S4, when the arbitration system receives the network data packet:
for a push network packet: if the source IP is the same as the source IP configured in step S2 and the destination port is the same as the destination port configured in step S2, modifying the destination port to be the new destination port configured in step S2; otherwise, the destination port is not modified;
for a pop network packet: if the source port is the same as the new destination port configured in step S2, the source port is modified to the destination port configured in step S2.
In an embodiment of the present invention, the high-permission process is a process P3 and a process P4, the low-permission process is a process P2, the processes P2, P3 and P4 are all website systems, initially, the contents and data of the processes P2, P3 and P4 are completely consistent, and the processes P2 and P3 correspond to the same website directory; the process P4 corresponds to the backup catalog, and the backup catalog is copied from the website catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; process P4 writes the update website operation to the backup directory and then updates the file synchronization to the website directory through file synchronization.
In one embodiment of the invention, there is at least one of process P3 and process P4.
In an embodiment of the present invention, in step S1, the arbitration system uniformly skips processing on network packets that do not conform to the modification rule.
Compared with the prior art, the invention has the following beneficial effects: the invention provides a method for realizing website updating by modifying a network data packet, which changes a port of a request network data packet of an administrator IP into a port of a high-authority process through an arbitration system, but the request of the non-administrator IP reaches a low-authority website process intact, so that when an illegal user tries to update a website in any way, the authority of the low-authority process where the related request is located cannot write in a website directory, and illegal updating cannot be executed; when the administrator user tries to update the website, the high-permission process where the related request is located has enough permission to write the website directory or the backup directory, and then the website is updated successfully. Therefore, even if the user name and the password of the website management background are leaked, the illegal user cannot forge the IP of the administrator, and the related request is sent to the low-authority process, so that the illegal user still cannot update and tamper the website content, and the safety of updating the website is improved.
Drawings
Fig. 1 is a flow chart illustrating a method for updating a website by modifying a network data packet according to the present invention.
Detailed Description
The technical scheme of the invention is specifically explained below with reference to the accompanying drawings.
As shown in fig. 1, the method for updating a website by modifying a network data packet according to the present invention is implemented as follows:
(1) an arbitration system is set up, and the arbitration system has the following 2 functions:
1) capturing and modifying the push network data packet: modifying a destination port of the push network data packet according to the source IP and the destination port;
2) capturing and modifying the pop network data packet: modifying the source port of the pop network data packet according to the source port;
and uniformly skipping and not processing the network data packets which do not accord with the modification rule.
(2) Configuring the arbitration system of step (1):
and (3) source IP: setting as administrator IP;
destination port: set to the port of the low-authority process (website system) (for example, port x of process P2);
the new destination port: setting as the port of high-authority process (website system) (for example, port y of process P3 or port z of process P4);
(3) at a certain moment, an illegal user or an administrator tries to update the site (the request website and the port are all completely consistent), and the request reaches the arbitration system in the step (1).
(4) When the arbitration system in the step (1) receives a network data packet:
if the data packet is a push network data packet: if the source IP is the same as the source IP configured in the step (2) and the destination port is the same as the destination port configured in the step (2) (for example, port x of the process P2), the destination port is modified to be the new destination port configured in the step (2) (for example, port y of the process P3 or port z of the process P4).
If the data packet is a pop network data packet: and (3) if the source port is the same as the new destination port configured in the step (2), modifying the source port into the destination port configured in the step (2).
(5) The processes P2, P3 and P4 are all website systems, the content and data of the 3 website systems are completely consistent initially, and the backup catalog is copied from the website catalog. In particular: the process P2 and the process P3 correspond to the same website directory; process P4 corresponds to the backup catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; the process P4 writes the update website operation into the backup directory, and then synchronously updates the files to the website directory through file synchronization; the processes P3 and P4 may exist simultaneously or only one of them may exist.
In the invention, the network data packet port requested by the IP of the administrator is modified by the arbitration system: the port of the request network data packet of the administrator IP is changed to the port of the high-authority process (website system) (such as the port y of the P3 process shown in fig. 1 or the port z of the P4 process), but the request of the administrator IP reaches the low-authority website process (such as the P2 process shown in fig. 1) as it is, so when an illegal user tries to update the website by any means (including but not limited to webshell), the authority possessed by the low-authority process P2 (shown in fig. 1) where the relevant request is located cannot write into the website directory, and thus cannot perform illegal updating. When the administrator user tries to update the website, the high-authority process P3 or P4 in which the related request is located has enough authority to write to the website directory or the backup directory, so as to successfully update the website.
Therefore, even if the user name and the password of the website management background are leaked, the illegal user cannot forge the IP of the administrator, and the related request is forwarded to the low-authority process, so that the illegal user still cannot update and tamper the website content, and the safety of updating the website is improved.
The above are preferred embodiments of the present invention, and all changes made according to the technical scheme of the present invention that produce functional effects do not exceed the scope of the technical scheme of the present invention belong to the protection scope of the present invention.

Claims (4)

1. A method for realizing website update by modifying network data packets is characterized by comprising the following steps:
step S1, an arbitration system is set up, the arbitration system having:
capturing and modifying the push network data packet: modifying a destination port of the push network data packet according to the source IP and the destination port;
capturing and modifying the pop network data packet: modifying the source port of the pop network data packet according to the source port;
step S2, configuring the arbitration system:
and (3) source IP: setting an administrator IP;
destination port: setting as a port of a low-permission process;
the new destination port: setting as a port of a high-authority process;
step S3, when an illegal user or administrator tries to update the site, a request is sent to the arbitration system;
step S4, when the arbitration system receives the network data packet:
for a push network packet: if the source IP is the same as the source IP configured in step S2 and the destination port is the same as the destination port configured in step S2, modifying the destination port to be the new destination port configured in step S2; otherwise, the destination port is not modified;
for a pop network packet: if the source port is the same as the new destination port configured in step S2, the source port is modified to the destination port configured in step S2.
2. The method as claimed in claim 1, wherein the high-rights processes are process P3 and process P4, the low-rights processes are process P2, process P2, process P3 and process P4 are all website systems, initially, the contents and data of process P2, process P3 and process P4 are completely consistent, and process P2 and process P3 correspond to the same website directory; the process P4 corresponds to the backup catalog, and the backup catalog is copied from the website catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; process P4 writes the update website operation to the backup directory and then updates the file synchronization to the website directory through file synchronization.
3. The method of claim 2, wherein at least one of the process P3 and the process P4 exists.
4. The method of claim 1, wherein in step S1, the arbitration system uniformly skips no processing for network packets that do not conform to the modification rule.
CN201910861575.5A 2019-09-12 2019-09-12 Method for realizing website updating by modifying network data packet Withdrawn CN110602091A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910861575.5A CN110602091A (en) 2019-09-12 2019-09-12 Method for realizing website updating by modifying network data packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910861575.5A CN110602091A (en) 2019-09-12 2019-09-12 Method for realizing website updating by modifying network data packet

Publications (1)

Publication Number Publication Date
CN110602091A true CN110602091A (en) 2019-12-20

Family

ID=68858932

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910861575.5A Withdrawn CN110602091A (en) 2019-09-12 2019-09-12 Method for realizing website updating by modifying network data packet

Country Status (1)

Country Link
CN (1) CN110602091A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931108A (en) * 2020-07-31 2020-11-13 福建深空信息技术有限公司 Safety net station updating method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931108A (en) * 2020-07-31 2020-11-13 福建深空信息技术有限公司 Safety net station updating method and system

Similar Documents

Publication Publication Date Title
US10505988B2 (en) System and method for secure synchronization of data across multiple computing devices
RU2408069C2 (en) Coordinated authority
EP3028489B1 (en) Centralized selective application approval for mobile devices
US8549326B2 (en) Method and system for extending encrypting file system
US7987496B2 (en) Automatic application of information protection policies
US10354068B2 (en) Anonymized application scanning for mobile devices
CN107111724A (en) Protect the data in untrusted equipment
US9917862B2 (en) Integrated application scanning and mobile enterprise computing management system
JP2007128205A (en) Confidential file protection method
JP2010128824A (en) Client control system utilizing policy group identifier
CN105183504A (en) Software server based process white-list updating method
CN104348914A (en) Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method
CN105224832A (en) A kind of method of License authorization set management
CN110443050B (en) Method and system for processing counterfeit process in file transparent encryption and decryption system
CN110046205B (en) Relational database row security access control method and system
CN110602092B (en) Method for only allowing designated IP to update website based on process forwarding
CN111427897A (en) Data storage management method on block chain
CN110602091A (en) Method for realizing website updating by modifying network data packet
EP2341458B1 (en) Method and device for detecting if a computer file has been copied
US7908252B1 (en) System and method for verifying paths to a database
CN105653932A (en) Software upgrading validation method and device
CN107332840B (en) Intelligent authority management system and method
JP2002149494A (en) Access control method and access controller, and recording medium
CN109995735A (en) Downloading and application method, server, client, system, equipment and medium
CN114584318A (en) Access control method of certificate and secret key, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20191220

WW01 Invention patent application withdrawn after publication