Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Ransomware Protection - Deprecated

Featured Replies

  • Author

You will always be able to delete via MC as that's direct access rather than SMB.  What you're describing is read only access to the shares.  Just go to the plugin page and a popup will ask if you want to restore SMB permissions.

There is no real way to distinguish how or what caused the trip.  A docker container deleting the bait is the same as doing it from the command line is the same as doing it over SMB.

 

Prior to v2016.11.11, there was an implementation error (read that as I didn't consider all possibilities) where once the program tripped, a subsequent trip (the subsequent trip wouldn't happen via SMB, but either from the command line, docker app, etc) that would then trash the backup copies of the share configs.

 

This double trip situation basically resulted in the backup copies of the share configs being overwritten by the read-only settings, so attempting to restore the normal access would just restore a backup of the readonly settings so you're back where you started.

 

After 2016.11.11, a check is made to see if the backup copies exist prior to overwriting them, and if they do, then the copy is skipped.

 

Since this has been going on for ~a week, the time frame is about right for when the issue started vs when it was fixed.

 

The only solution at this point is to click the button to restore normal permissions (which won't do anything obvious, but it will get the program back in a state that you can work with) - from your posted pic it already is in normal mode - and then change the share permissions back manually to what they should be.

 

 

Ultimately, I don't advise tossing bait files into every folder, as the chances for innocent trips skyrockets - Just use root of all shares and use the bait shares option.

 

Also, any shares which are manipulated by other apps (eg: Downloads) should always be excluded as the programs running have no concept that this plugin is monitoring the files within.

 

 

 

  • Replies 449
  • Views 114.8k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • @Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

  • I know this thread is positively ancient, but I'm one of the apparently rare few still running this plugin on both my Unraid boxes running v6.11...and just testing it again now due to all the people s

  • It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to

Posted Images

  • Author

If the share does not state Read-only mode, then its probably a permissions issue within the Downloads folder.  I've been plagued by it recently on ~50% of my DLs via NZBGet for some reason.

 

I just do

newperms /mnt/user/Downloads

to fix it up.

 

  • Author

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

Well, i uninstalled the Ransomware plugin after the initial trip and clicking of restore permissions, then re insalled the plugin.

 

Here is a screenshot of my shares tab

 

If the share does not state Read-only mode, then its probably a permissions issue within the Downloads folder.  I've been plagued by it recently on ~50% of my DLs via NZBGet for some reason.

 

I just do

newperms /mnt/user/Downloads

to fix it up.

 

I tried running this via ssh but it doesnt seem to help. 

 

 

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

 

I think I uninstalled it with that hope then thought it over and decided it might be a plugin that is better to have installed than not so I reinstalled it and set it to put bait fiales only in root which seems to be working fine so far other than my boo boo from the initial install and setting it to put squid files in all directories without realizing what I was doing.  Thank you very much for your help by the way!!

  • Author

If the share does not state Read-only mode, then its probably a permissions issue within the Downloads folder.  I've been plagued by it recently on ~50% of my DLs via NZBGet for some reason.

 

I just do

newperms /mnt/user/Downloads

to fix it up.

 

I tried running this via ssh but it doesnt seem to help. 

 

Possible bug.  Gotta wait a few hours before I can check it out.  Everything's restored itself back to read-write, with the exception of the disk shares. 

 

If you access the appdata share via the share instead of first navigating to the cache drive over the network you should be ok.  But you're going to have to manually reset the disk share permissions for each of the disks.  No real way around it  :(

  • Author

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

 

I think I uninstalled it with that hope then thought it over and decided it might be a plugin that is better to have installed than not so I reinstalled it and set it to put bait fiales only in root which seems to be working fine so far other than my boo boo from the initial install and setting it to put squid files in all directories without realizing what I was doing.  Thank you very much for your help by the way!!

The uninstall thing is something that I spent some time go over in my head about what to do.  Did I want to restore normal permissions or leave it in the tripped state.

 

I ultimately decided that due to the nature of the plugin to leave it in the tripped state so that someone wouldn't merely uninstall the plugin in case of a legitimate attack and didn't understand what was going on.

 

Unfortunately, what that means is that in the case of a reinstall without first fixing those share settings is that the plugin assumes that what is set is what its supposed to be.  I'll change the uninstall routine to restore the permissions.

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

 

I think I uninstalled it with that hope then thought it over and decided it might be a plugin that is better to have installed than not so I reinstalled it and set it to put bait fiales only in root which seems to be working fine so far other than my boo boo from the initial install and setting it to put squid files in all directories without realizing what I was doing.  Thank you very much for your help by the way!!

The uninstall thing is something that I spent some time go over in my head about what to do.  Did I want to restore normal permissions or leave it in the tripped state.

 

I ultimately decided that due to the nature of the plugin to leave it in the tripped state so that someone wouldn't merely uninstall the plugin in case of a legitimate attack and didn't understand what was going on.

 

Unfortunately, what that means is that in the case of a reinstall without first fixing those share settings is that the plugin assumes that what is set is what its supposed to be.  I'll change the uninstall routine to restore the permissions.

 

That makes complete sense in the event of a real attack and this is totally my fault for being an idiot obviously lol.

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

  • Author

... this is totally my fault for being an idiot obviously lol.

Due to the amount of times that I have to cause trips during development, my wife has now threatened me with divorce if I do any development on this plugin while she's still awake  :o

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

In the webGUI, go to shares, Disk Shares, click on each disk in turn and change the settings to whatever they were (or you think they were).  If you don't remember ever changing them in the first place, then they were probably set to public (RP sets them to secure if they were previously public).  Also delete the comment line so that its easy to see when RP changes it

... this is totally my fault for being an idiot obviously lol.

Due to the amount of times that I have to cause trips during development, my wife has now threatened me with divorce if I do any development on this plugin while she's still awake  :o

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

In the webGUI, go to shares, Disk Shares, click on each disk in turn and change the settings to whatever they were (or you think they were).  If you don't remember ever changing them in the first place, then they were probably set to public (RP sets them to secure if they were previously public).  Also delete the comment line so that its easy to see when RP changes it

 

I've set everything back to public as I had never changed them from their original defaults.  How do I delete the comment line?

 

... this is totally my fault for being an idiot obviously lol.

Due to the amount of times that I have to cause trips during development, my wife has now threatened me with divorce if I do any development on this plugin while she's still awake  :o

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

In the webGUI, go to shares, Disk Shares, click on each disk in turn and change the settings to whatever they were (or you think they were).  If you don't remember ever changing them in the first place, then they were probably set to public (RP sets them to secure if they were previously public).  Also delete the comment line so that its easy to see when RP changes it

 

I've set everything back to public as I had never changed them from their original defaults.  How do I delete the comment line?

 

I figured it out!!

Found a bug - when you use use 'delete all backups' from CA backup it deletes the bait files as well triggering an attack alert

  • Author

Found a bug - when you use use 'delete all backups' from CA backup it deletes the bait files as well triggering an attack alert

You are correct.  RP is placing bait files within the root of the backup share when in fact it shouldn't be (but it doesn't traverse any sub folders within that which is correct).  Will fix later today

Also clashing with Fix Common Problems:

 

 

The following directories exist with similar names, only differing by the 'case' which will play havoc with Windows / SMB access. Windows does NOT support folder names only differing by their case and strange results will happen should you attempt to manipulate the folders or files

/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/there
/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/There
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/with
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/With
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/they
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/They

  • Author

Also clashing with Fix Common Problems:

 

 

The following directories exist with similar names, only differing by the 'case' which will play havoc with Windows / SMB access. Windows does NOT support folder names only differing by their case and strange results will happen should you attempt to manipulate the folders or files

/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/there
/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/There
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/with
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/With
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/they
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/They

Ah luck of the draw on the names it chose

 

Sent from my LG-D852 using Tapatalk

 

 

Hi to all,

 

man, what great piece of software. Thanks a lot!

 

But, maybe someone could help me. I installed the plugin to both of my servers. Backup-machine worked absolutely smooth. Main machine as well.

 

One issue, which may be not related to the installation of the plug-in.  I tried to reach my server using its IP. Usual for me, I´m always using the IP. But the server ist unreachable. Do I use its name, tadaa, server shows me its shares in windows explorer.

 

Any ideas are welcome.

 

Thanks a lot!

 

UPDATE: occured first time after installation of the plug-in. I deinstalled it hoping that might fix the issue, but wasn´t.

 

Greetings from Germany!

heisenberg-diagnostics-20161129-1356.zip

I would carefully check that the IP address has not changed.    The current IP address is displayed at the top right of the GUI.

Thanks a lot itimpi,

 

I ve just checked the current IP and it is still 192.168.10.100 as it was before.

 

GUI is reached via IP without any problems, so I think it might be related to SMB or somewhat.

 

Thanks again!

 

bjoern

GUI is reached via IP without any problems

This seems to be the opposite of what you said before:

I tried to reach my server using its IP. Usual for me, I´m always using the IP. But the server ist unreachable. Do I use its name, tadaa, server shows me its shares in windows explorer.

Which is it?

trurl, I am very sorry if I told bull...!

 

The Problem exists only when I try to access my share via Windows Explorer.

 

There was no Problem reaching the GUI. I can easily type in the IP in Firefox and it Shows my GUI.

 

But, let´s say I try right click and make a new shortcut in Windows. Typing \\192.168.10.100 and it says, the adress doesn´t exist.

 

But, if I type \\Heisenberg everything works well and the Shares on Heisenberg are showing. IP is checked and correct.

 

I didn´t wanted to make any confusion. Sorry for that.

 

 

  • Author

 

UPDATE: occured first time after installation of the plug-in. I deinstalled it hoping that might fix the issue, but wasn´t.

 

Problem will have absolutely nothing to do with installation of this plugin.

I was a Little afraid of this answer. Was my last hope.

 

Thanks a lot squid.

I am having trouble loading the gui.  When i goto the plugins section and selct ransomware the url is /tower/Settings/ransomware  the unraid banner loads but nothing else. 

I am trying to delete and user share and wanted to disable it from that share beforehand.

Am i missing something?

  • Author

I am having trouble loading the gui.  When i goto the plugins section and selct ransomware the url is /tower/Settings/ransomware  the unraid banner loads but nothing else. 

I am trying to delete and user share and wanted to disable it from that share beforehand.

Am i missing something?

Not sure.  Can you get to it from the Settings (User Utilities) tab

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.