Gog Posted December 4, 2016 Share Posted December 4, 2016 Bonus points for relevance! Click that link and you'll be able to verify the effectiveness of the plugin... Sent from my SGH-I337M using Tapatalk Quote Link to comment
gxs Posted December 14, 2016 Share Posted December 14, 2016 Great Plugin and I'm using it as we speak because my father always says yes to every banner/popup/sales person that shows up. But I do have a question... The files are not a problem because there are not so many in his shared folder. But using dummy shares creates a whole lot of those folders that are nice to click on and trigger an alarm (my father likes to click on stuff). Is there a way to hide the share from users but still have it public? Cheers Blaz Quote Link to comment
Squid Posted December 14, 2016 Author Share Posted December 14, 2016 Great Plugin and I'm using it as we speak because my father always says yes to every banner/popup/sales person that shows up. But I do have a question... The files are not a problem because there are not so many in his shared folder. But using dummy shares creates a whole lot of those folders that are nice to click on and trigger an alarm (my father likes to click on stuff). Is there a way to hide the share from users but still have it public? Cheers Blaz You could try prefixing the share name with a "." But personally, I would name the folders to be something like "DONT CLICK BAD THINGS HAPPEN" Quote Link to comment
gxs Posted December 14, 2016 Share Posted December 14, 2016 I would name the folders to be something like "DONT CLICK BAD THINGS HAPPEN" You clearly never met my father. I'll just use the file protection and avoid the dummy shares until I figure out how to hide them from him. Hey even I triggered an alert today when I wasn't careful. Thanks again for the great plugin. Quote Link to comment
mathgeek97 Posted December 21, 2016 Share Posted December 21, 2016 Not sure if I'm doing something wrong here. I installed this plugin today, let it create bait files in the root directories (also bait shares). As soon as I try to connect to a share using AFP from my Mac, it sets off a trigger and the array immediately stops. the error message is: Attack Detected SMB has been set to be in read-only mode due to a possible attack on /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx You can choose to reset the SMB/AFP permissions by clicking below. If this was caused by an attack, it is not advised to reset permission to normal The Attack History isn't telling me anything useful: ****************************************************************************************** Time Of Attack:Tue, 20 Dec 2016 23:38:50 -0500 Attacked File: /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx Samba version 4.4.5 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- No locked files ------- Is this a bug or a feature that I'm not really getting? Thanks! Quote Link to comment
mckenna654 Posted December 26, 2016 Share Posted December 26, 2016 Not sure if I'm doing something wrong here. I installed this plugin today, let it create bait files in the root directories (also bait shares). As soon as I try to connect to a share using AFP from my Mac, it sets off a trigger and the array immediately stops. the error message is: Attack Detected SMB has been set to be in read-only mode due to a possible attack on /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx You can choose to reset the SMB/AFP permissions by clicking below. If this was caused by an attack, it is not advised to reset permission to normal The Attack History isn't telling me anything useful: ****************************************************************************************** Time Of Attack:Tue, 20 Dec 2016 23:38:50 -0500 Attacked File: /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx Samba version 4.4.5 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- No locked files ------- Is this a bug or a feature that I'm not really getting? Thanks! I'm getting this when connecting via my Macbook as well. Windows machine is fine. It seems for whatever reason that connect to the share via AFP on a macbook is triggering the ransomware plugin. I will have to disable it for now Quote Link to comment
Squid Posted December 26, 2016 Author Share Posted December 26, 2016 Not sure. I'll try and do some research and see what I can come up with. Quote Link to comment
andrewpercival Posted December 27, 2016 Share Posted December 27, 2016 i have a really stupid question, is there any way to hide the bait files? my nephew touched a few files while he was visiting. sorry if this has been covered. Quote Link to comment
Squid Posted January 1, 2017 Author Share Posted January 1, 2017 - Added ability to hide the bait files. Pretty much requires you to stop the service, delete the bait files, then recreate. - Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden. Hide "dot" files has to be enabled in Settings - SMB settings for this to work. Quote Link to comment
unJim Posted January 2, 2017 Share Posted January 2, 2017 - Added ability to hide the bait files. Pretty much requires you to stop the service, delete the bait files, then recreate. - Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden. Hide "dot" files has to be enabled in Settings - SMB settings for this to work. Thanks squid, I'm glad you decided to add this, I have been hiding them from the start as mentioned earlier in the thread, is this addition going to affect anything for me as my bait files are already "dot" files? Should I delete my custom bait file directory? Quote Link to comment
Squid Posted January 2, 2017 Author Share Posted January 2, 2017 - Added ability to hide the bait files. Pretty much requires you to stop the service, delete the bait files, then recreate. - Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden. Hide "dot" files has to be enabled in Settings - SMB settings for this to work. Thanks squid, I'm glad you decided to add this, I have been hiding them from the start as mentioned earlier in the thread, is this addition going to affect anything for me as my bait files are already "dot" files? Should I delete my custom bait file directory? Not quite sure. The effect of enabling them to be hidden throws a dot in front of the filename. In your case it would be a double dot. Personally I would get rid of the dot on your custom files and recreate them. Sent from my LG-D852 using Tapatalk Quote Link to comment
mgladwin Posted January 6, 2017 Share Posted January 6, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. Quote Link to comment
Squid Posted January 6, 2017 Author Share Posted January 6, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore. Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment) Quote Link to comment
mgladwin Posted January 7, 2017 Share Posted January 7, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore. Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment) I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there. User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing? Quote Link to comment
Squid Posted January 7, 2017 Author Share Posted January 7, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore. Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment) I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there. User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing? hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares). But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually. Quote Link to comment
mgladwin Posted January 7, 2017 Share Posted January 7, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore. Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment) I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there. User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing? hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares). But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually. Cool that worked. One thing to note, it changed the comment for all the unassigned disks as well. ie, Disk 6, Disk 7, Disk 8 and so on which I don't even have. Thought I would mention it just in case it wasn't supposed to do that Quote Link to comment
Squid Posted January 7, 2017 Author Share Posted January 7, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore. Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment) I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there. User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing? hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares). But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually. Cool that worked. One thing to note, it changed the comment for all the unassigned disks as well. ie, Disk 6, Disk 7, Disk 8 and so on which I don't even have. Thought I would mention it just in case it wasn't supposed to do that Speed is the issue. Faster for me to just set all the disks / shares to be read-only rather than try and figure out what's valid or not. Quote Link to comment
mgladwin Posted January 7, 2017 Share Posted January 7, 2017 Hey Squid, First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues) Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin. One thing has remained and that is the comment section on the disk shares in the Shares tab. I still have :- Read Only Mode. Restore normal settings via Ransomware Protection Settings - But I cant find anywhere to change/remove this. Any ideas? Cheers. There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore. Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment) I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there. User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing? hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares). But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually. Cool that worked. One thing to note, it changed the comment for all the unassigned disks as well. ie, Disk 6, Disk 7, Disk 8 and so on which I don't even have. Thought I would mention it just in case it wasn't supposed to do that Speed is the issue. Faster for me to just set all the disks / shares to be read-only rather than try and figure out what's valid or not. Thought you might say something like that. Thanks again! Quote Link to comment
wgstarks Posted January 17, 2017 Share Posted January 17, 2017 I had to downgrade my server to 6.1.9 and this plugin isn't compatible. Left a bunch of bait shares on my server that I would like to delete. I used mc to delete the bait files. How do I delete the shares? WebUI still shows that they aren't empty. Quote Link to comment
Squid Posted January 17, 2017 Author Share Posted January 17, 2017 rm -rf /mnt/user/nameOfShare should do the trick. Quote Link to comment
wgstarks Posted January 17, 2017 Share Posted January 17, 2017 No. Didn't get any errors, but the share is still there. Quote Link to comment
Squid Posted January 17, 2017 Author Share Posted January 17, 2017 No. Didn't get any errors, but the share is still there. Hmm not sure that's the command that the program uses. I'm in a hotel tonight but tomorrow I'll look into downgrading one of my server's and trying it. Send me a pm otherwise I may forget Sent from my SM-T560NU using Tapatalk Quote Link to comment
Squid Posted January 17, 2017 Author Share Posted January 17, 2017 It's because 6.1 doesn't support hardlinks on shares. You have to delete the share from each disk individually . mc should be fine Sent from my LG-D852 using Tapatalk Quote Link to comment
wgstarks Posted January 17, 2017 Share Posted January 17, 2017 I went to /mnt/user/ in mc and deleted the shares recursively. Are you saying I need to go to /mnt/diskX/ in mc and delete again? Quote Link to comment
FreeMan Posted January 17, 2017 Share Posted January 17, 2017 Wow, Squid! I jumped in early on this, but uninstalled it while I was migrating my drives from ReiserFS to XFS. I've been following development, but not paying really close attention. I gotta say, this looks fantastic now! I was all kinds of prepared to ask a bunch of configuration questions, but everything is covered very clearly in your help section and the whole thing looks really professional! I do have a few questions for you: Dracula? Why does he get credit? Yes, I read all of the help .mp3 files. If I wanted to add an mp3 file as a bait target, would I just create /config/plugins/ransomware.bait/bait/squidbait.mp3 and all is good? Protecting other computers. If I were to use Unassigned Devices to remote mount the root of my local machine's hard drive as an SMB share, share that from unRAID, then set RP to protect that share too, what do you think the odds are that it would actually work and detect a file deletion? I realize that shutting down the share from the server would NOT protect the local machine from the ransomware running locally on that machine, but it would likely serve to protect the server that much earlier (possibly before the nasty gets to a share), and would be very explicit as to which machine the attack originated from. Obviously, there would be a lot of work to explicitly exclude machine-local directory structures that get updated frequently (\temp, for example - others based on the OS). Your warnings about RP not protecting local machines got me thinking about this. Tabs. What happened to the nice tabbed interface shown in your screen grabs from the OP? I think they're quite a bit nicer than the long scrolling list of options that are available in the 2017.01.01 version I just pulled today. It would bring the help page much closer to the relevant options, as well, thus making it easier to relate the help to the option (minimizing scrolling), and might minimize questions that are covered in the help files (especially if help is always displayed on the tab). Again - FANTASTIC job with this! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.