look:本文寫(xiě)給想在win2k平臺(tái)上架設(shè)一個(gè)安全web站臺(tái)的朋友們。 所需要的程序: apache http://www.apache.org/dist/httpd/binaries/win32/ 我們選用apache_1.3.28-win32-x86-no_src.msi,或者apache_2.0.47-win32-x86-no_ssl.msi 都可以,勿使用低版本的程序,它們有缺陷,很容易遭到internet上的攻擊 php http://cn2.php.net/get/php-4.3.3-Win32.zip/from/a/mirror php-4.3.3 mysql http://www.mysql.com/get/Downloa ... 5-win.zip/from/pick mysql-4.0.15 注:低于這個(gè)版本的mysql,有缺陷,勿使用 ZendOptimizer-2[1].1.0a-Windows-i386.exe php的優(yōu)化器,支持加密php腳本 MySQL-Front 一個(gè)運(yùn)行于ms平臺(tái)的gui的mysql的管理器,非常好用 phpMyAdmin-2.5.0-php.zip 基于php腳本的mysql管理器 phpencode.exe php加密編譯器 install~ 1.安裝apache 由于安裝很簡(jiǎn)單,pass~!,只是要注意的是,請(qǐng)勿安裝到系統(tǒng)分區(qū)上 因?yàn)檫@樣,無(wú)論從備份,維護(hù),災(zāi)難性恢復(fù)上,都是有優(yōu)勢(shì)的. 假設(shè)安裝到了d:// 2.安裝php 具體安裝過(guò)程請(qǐng)參考php目錄里的install.txt 需要注意的是,請(qǐng)勿使用cgi方式 以下為引用資料 ------------------------------------------------------------------ Title 17/2/2002 PHP for Windows Arbitrary Files Execution (GIF, MP3) Summary Through PHP.EXE, an attacker can cause PHP to interpret any file as a PHP file, even if its extensions are not PHP. This would enable the remote attacker to execute arbitrary commands, leading to a system compromise. Details Vulnerable systems: PHP version 4.1.1 under Windows PHP version 4.0.4 under Windows An attacker can upload innocent looking files (with mp3, txt or gif extensions) through any uploading systems such as WebExplorer (or any other PHP program that has uploading capabilities), and then request PHP to execute it. Example: After uploading a file a /"gif/" extension (in our example huh.gif) that contains PHP code such as: #------------ <? phpinfo(); ?> #------------ An attacker can type the following address to get in to cause the PHP file to be executed: http://www.example.com/php/php.exe/UPLOAD_DIRECTORY/huh.gif Notice: php/php.exe is included in the URL. Additional information The information has been provided by CompuMe and RootExtractor. ps:大部分版本都有這個(gè)毛病.包括一些最新版本,所以請(qǐng)不要以cgi安裝!切記... 3.安裝mysql 安裝到d://,也很簡(jiǎn)單,具體過(guò)程pass. 只是mysql安裝后的默認(rèn)設(shè)置實(shí)在讓人擔(dān)心 以下引用我原來(lái)的文章 ----------------------------------------------------------------------------------- 2002/12/21 寫(xiě)在前面:無(wú)事可做,生命被消耗,痛~~~啊,所以就寫(xiě)了,本文no原創(chuàng),整理而成! 默認(rèn)安裝的mysql服務(wù)不安全因素涉及的內(nèi)容有: 一.mysql默認(rèn)的授權(quán)表 二.缺乏日志能力 三.my.ini文件泄露口令 四.服務(wù)默認(rèn)被綁定全部的網(wǎng)絡(luò)接口上 五.默認(rèn)安裝路徑下的mysql目錄權(quán)限 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 一.mysql默認(rèn)的授權(quán)表 由于mysql對(duì)身份驗(yàn)證是基于mysql這個(gè)數(shù)據(jù)庫(kù)的,也叫授權(quán)表。所有的權(quán)限設(shè)置都在這里了。 我們只討論最為重要的一個(gè)表 user表。它控制的是接受或拒絕連接。
