分类 工作相关 下的文章

方法. 添加Web.xml参数

在Servlet项中添加:

<init-param>
   <param-name>useFileMappedBuffer</param-name>
   <param-value>false</param-value>
 </init-param>

方法. 在jetty.xml中添加

<init-param>  
  <param-name>useFileMappedBuffer</param-name>
  <param-value>false</param-value>
</init-param>

两种方法针对不同jetty运行模式.

前言

美国国家安全局(NSA)旗下的“方程式黑客组织”(shadow brokers)使用的部分网络武器被公开,其中包括可以远程攻破全球约70%Windows机器的漏洞利用工具。
其中,有十款工具最容易影响Windows个人用户,包括永恒之蓝、永恒王者、永恒浪漫、永恒协作、翡翠纤维、古怪地鼠、爱斯基摩卷、文雅学者、日食之翼和尊重审查。不法分子无需任何操作,只要联网就可以入侵电脑,就像冲击波、震荡波等著名蠕虫一样可以瞬间血洗 互联网。

u=3258450621,2397970177&fm=27&gp=0.jpg

正文

本文就最近遇到的永恒之蓝做简析,本文所遇到的永恒之蓝为变种病毒。制作者将挖矿埋入了病毒中传播。因影响较多没继续跟踪虚拟币所属种类。

  • 现象:
    利用个人电脑及windows服务器空闲CPU来做大量的挖矿运算,占用闲置CPU资源.经过跟踪,发现部分进程中线程创建达3822+,外网连接数达到300+.造成其它正常程序打开响应慢,卡死状况。
  • 细节:

    1. 异常启动svchost.exe进程.
    2. 调用病毒进程:TrustedHostServices.exe
    3. 伪装进程:spooler.exe (与系统预置打印机进程名称一致)
  • 感染区:

    1. 在系统目录C:\Windows创建SecureBootThemes
    2. 在系统核心目录C:\Windows\System32创建SecureBootThemes
    3. 在系统核心目录C:\Windows\System32释放了如下文件:
      MsraReportDataCache32.tlb,tpmagentservice.dll,TrustedHostServices.exe
    4. 注册了系统服务:tpmagentservice
  • 传播路径:定向扫描135,445等内网常备端口.自动连接外网下载最新病毒包,并自更新.
  • 解决办法:杀灭进程,删除服务,清除目录,关闭易感染端口,更新Windows系统补丁(通过金山卫士,360卫士或者其它杀软)

这里提供一个组合批处理工具,若有补充,欢迎斧正:


@echo off &&title 正在杀毒中. 批处理需要右键,管理员权限运行,否则出错  By NXQ&&    color 1f
echo “正在停止打印机服务”
sc stop spooler
sc config spooler start= disabled
sc stop tpmagentservice
sc delete tpmagentservice

tasklist /nh| find "TrustedHostServices.exe" 2>NULL
if "%ERRORLEVEL%"=="1" (echo no)
if "%ERRORLEVEL%"=="0" (ntsd -c q -pn TrustedHostServices.exe)

taskkill /F /im spoolsv.exe
DEL /F /Q /S C:WindowsSystem32MsraReportDataCache32.tlb
DEL /F /Q /S C:WindowsSystem32tpmagentservice.dll
DEL /F /Q /S C:WindowsSystem32TrustedHostServices.exe
wmic process where "ExecutablePath like 'C:\Windows\SecureBootThemes\Microsoft\%%'" call Terminate
DEL /F /Q /S C:WindowsSecureBootThemesMicrosoftspoolsv.exe
DEL /F /Q /S C:WindowsSecureBootThemes
DEL /F /Q /S C:WindowsSystem32SecureBootThemes

@echo off 

color 1f 

title 您正在使用一键屏蔽危险端口和服务

echo 您正在使用一键屏蔽危险端口和服务

echo"正在帮您关闭这些危险端口,请稍等"

echo “正在开启Windows防火墙服务”

net start MpsSvc

echo ”正在帮您开启Windows防火墙自启动“

sc config MpsSvc start= auto

echo ”正在启用防火墙“

netsh advfirewall set allprofiles state on

echo"正在帮您屏蔽端口...."

echo. 

echo. 

echo. 

echo 正在屏蔽135端口 请稍候… 

netsh advfirewall firewall delete rule name = "Disable port 135 - TCP"

netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135

echo. 

netsh advfirewall firewall delete rule name = "Disable port 135 - UDP"

netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135

echo. 

echo 正在屏蔽137端口 请稍候… 

netsh advfirewall firewall delete rule name = "Disable port 137 - TCP"

netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137

echo. 

netsh advfirewall firewall add rule name = "Disable port 137 - UDP"

netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137

echo. 

echo 正在屏蔽138端口 请稍候… 

netsh advfirewall firewall delete rule name = "Disable port 138 - TCP"

netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138

echo. 

netsh advfirewall firewall delete rule name = "Disable port 138 - UDP"

netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138

echo. 

echo 正在屏蔽139端口 请稍候… 

netsh advfirewall firewall delete rule name = "Disable port 139 - TCP"

netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139

echo. 

netsh advfirewall firewall delete rule name = "Disable port 139 - UDP"

netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139

echo. 

echo 正在关闭445端口 请稍候… 

netsh advfirewall firewall delete rule name = "Disable port 445 - TCP"

netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445

echo. 

netsh advfirewall firewall delete rule name = "Disable port 445 - UDP"

netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445

echo.

 

echo "危险端口已经用Windows防火墙屏蔽成功"

 

echo.

echo ----------------

echo “正在关闭Workstation(LanmanWorkstation)服务”

sc stop LanmanWorkstation

sc config LanmanWorkstation start= disabled

 

echo.

echo ----------------

echo “正在关闭Server(LanmanServer)服务”

sc stop LanmanServer

sc config LanmanServer start= disabled

 

echo.

echo ----------------

echo “正在关闭TCP/IP NetBIOS Helper(lmhosts)共享服务”

sc stop lmhosts

sc config lmhosts start= disabled

 

echo.

echo ----------------

echo “正在关闭Distributed Transaction Coordinator(MSDTC)共享服务”

sc stop MSDTC

sc config MSDTC start= disabled

 

echo.

echo ----------------

echo “正在关闭NetBT服务”

sc stop NetBT

sc config NetBT start= disabled

 

echo.

echo ----------------

reg add "hklmSystemCurrentControlSetServicesNetBTParameters" /v "SMBDeviceEnabled" /t reg_dword /d "0" /f

reg add "hklmSOFTWAREMicrosoftOle" /v "EnableDCOM" /t reg_sz /d "N" /f

reg add "hklmSOFTWAREMicrosoftRpc" /v "DCOM Protocols" /t reg_multi_sz /d "" /f

 

echo.

echo ----------------

echo "恭喜您,危险端口已经关闭,请重新启动电脑后用netstat -an查看本地端口"

 

echo 按任意键退出 

pause>nul
pause

补丁列表

漏洞名称解决方案
“EternalBlue 永恒之蓝”由MS17-010解决
“EmeraldThread 翡翠线”由MS10-061解决
“EternalChampion 永恒冠军”由CVE-2017-0146和CVE-2017-0147解决
“ErraticGopher 漂泊地鼠”在Windows Vista发布之前就已经解决
“EsikmoRoll 爱斯基摩卷”由MS14-068解决
“EternalRomance 永恒罗曼史”由MS17-010解决
“EducatedScholar 受过教育的学者”由MS09-050解决
“ EternalSynergy 永恒协同”由MS17-010解决
“EclipsedWing 黯淡羽翼”由MS08-067解决

在Ajaxian上看到了一种精确的检测方法,跨原型链调用toString()方法:Object.prototype.toString()。可以解决上面的跨框架问题。 当Object.prototype.toString(o)执行后,会执行以下步骤: 1)获取对象o的class属性。 2)连接字符串:"[object "+结果(1)+"]" 3)返回 结果(2) 例如:

Object.prototype.toString.call([]); // 返回 "[object Array]"
Object.prototype.toString.call(/reg/ig); // 返回 "[object RegExp]"

- 阅读剩余部分 -