rharvey Posted April 12, 2017 Share Posted April 12, 2017 This sounded like an awesome plugin to use but each time I have tried to fire it up it activates almost right away. This is what it's saying ime Of Attack:Tue, 11 Apr 2017 18:03:07 -0400Attacked File: /mnt/user/BoxsterBait-about/Samba version 4.5.7PID Username Group Machine Protocol Version Encryption Signing----------------------------------------------------------------------------------------------------------------------------------------25974 nobody users 10.0.1.28 (ipv4:10.0.1.28:50237) SMB3_02 - -8034 rharvey users 10.0.1.18 (ipv4:10.0.1.18:62150) SMB3_02 - AES-128-CMAC31605 nobody users 10.0.1.20 (ipv4:10.0.1.20:49671) SMB3_11 - -31605 nobody users 10.0.1.20 (ipv4:10.0.1.20:49671) SMB3_11 - -Service pid Machine Connected at Encryption Signing---------------------------------------------------------------------------------------------Movies 8034 10.0.1.18 Mon Apr 10 10:21:39 2017 EDT - AES-128-CMACBlueIris 31605 10.0.1.20 Fri Apr 7 09:30:25 2017 EDT - -Blue Iris Data on SSD 31605 10.0.1.20 Fri Apr 7 09:30:25 2017 EDT - -BI 31605 10.0.1.20 Tue Apr 11 16:00:33 2017 EDT - -VMBackups 8034 10.0.1.18 Mon Apr 10 10:21:39 2017 EDT - AES-128-CMACcache 8034 10.0.1.18 Mon Apr 10 10:21:39 2017 EDT - AES-128-CMACflash 25974 10.0.1.28 Fri Apr 7 09:24:29 2017 EDT - -Downloads 8034 10.0.1.18 Mon Apr 10 10:21:39 2017 EDT - AES-128-CMACLocked files:Pid Uid DenyMode Access R/W Oplock SharePath Name Time--------------------------------------------------------------------------------------------------31605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Barn.20170411_161316.bvr Tue Apr 11 16:13:19 201731605 99 DENY_NONE 0x100080 RDONLY NONE /mnt/user/BlueIris . Fri Apr 7 09:31:00 201731605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Family.20170411_160826.bvr Tue Apr 11 16:08:29 201731605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Pool.20170411_161217.bvr Tue Apr 11 16:12:20 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/cache BI Mon Apr 10 10:22:40 201725974 99 DENY_NONE 0x100081 RDONLY NONE /boot . Fri Apr 7 11:53:12 201731605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Third.20170411_161335.bvr Tue Apr 11 16:13:38 201731605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Front.20170411_160859.bvr Tue Apr 11 16:09:01 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_11_Apr_2017/xml Tue Apr 11 08:35:26 201731605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Living.20170411_160031.bvr Tue Apr 11 16:00:33 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/Movies Aftermath Mon Apr 10 10:22:40 201731605 99 DENY_NONE 0x100080 RDONLY NONE /mnt/user/Blue Iris Data on SSD . Fri Apr 7 09:31:00 201731605 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Garage.20170411_160936.bvr Tue Apr 11 16:09:39 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_07_Apr_2017/nvram Mon Apr 10 10:22:40 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/cache Blue Iris Data on SSD Mon Apr 10 10:22:40 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_11_Apr_2017/nvram Tue Apr 11 08:35:29 20178034 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_07_Apr_2017/xml Mon Apr 10 10:22:40 2017******************************************************************************************Time Of Attack:Wed, 12 Apr 2017 09:03:51 -0400Attacked File: /mnt/user/BoxsterBait-blossom/Samba version 4.5.7PID Username Group Machine Protocol Version Encryption Signing----------------------------------------------------------------------------------------------------------------------------------------8077 rharvey users 10.0.1.18 (ipv4:10.0.1.18:61365) SMB3_02 - AES-128-CMAC8078 nobody users 10.0.1.28 (ipv4:10.0.1.28:63522) SMB3_02 - -8678 nobody users 10.0.1.20 (ipv4:10.0.1.20:58030) SMB3_11 - -8678 nobody users 10.0.1.20 (ipv4:10.0.1.20:58030) SMB3_11 - -Service pid Machine Connected at Encryption Signing---------------------------------------------------------------------------------------------Movies 8077 10.0.1.18 Tue Apr 11 18:09:34 2017 EDT - AES-128-CMACcache 8077 10.0.1.18 Tue Apr 11 18:09:34 2017 EDT - AES-128-CMACBI 8678 10.0.1.20 Wed Apr 12 08:21:48 2017 EDT - -flash 8078 10.0.1.28 Tue Apr 11 18:09:25 2017 EDT - -Blue Iris Data on SSD 8678 10.0.1.20 Tue Apr 11 18:25:14 2017 EDT - -BlueIris 8678 10.0.1.20 Tue Apr 11 18:25:14 2017 EDT - -VMBackups 8077 10.0.1.18 Tue Apr 11 18:09:34 2017 EDT - AES-128-CMACDownloads 8077 10.0.1.18 Tue Apr 11 18:09:34 2017 EDT - AES-128-CMACLocked files:Pid Uid DenyMode Access R/W Oplock SharePath Name Time--------------------------------------------------------------------------------------------------8678 99 DENY_NONE 0x100080 RDONLY NONE /mnt/user/BlueIris . Tue Apr 11 18:25:14 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/cache BI Tue Apr 11 18:11:02 20178678 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Front.20170412_090026.bvr Wed Apr 12 09:00:30 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_11_Apr_2017/xml Tue Apr 11 18:11:02 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/Movies Aftermath Tue Apr 11 18:10:32 20178678 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Living.20170412_082144.bvr Wed Apr 12 08:21:48 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_11_Apr_2017/nvram Tue Apr 11 18:11:02 20178678 99 DENY_NONE 0x100080 RDONLY NONE /mnt/user/Blue Iris Data on SSD . Tue Apr 11 18:25:14 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_07_Apr_2017/nvram Tue Apr 11 18:10:32 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/cache Blue Iris Data on SSD Tue Apr 11 18:11:02 20178678 99 DENY_WRITE 0x12019f RDWR LEASE(RWH) /mnt/user/BI Family.20170412_090011.bvr Wed Apr 12 09:00:15 20178077 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/VMBackups vmsettings/_07_Apr_2017/xml Tue Apr 11 18:10:32 2017 Quote Link to comment
Squid Posted April 12, 2017 Author Share Posted April 12, 2017 Can you post your diagnostics Quote Link to comment
wgstarks Posted April 18, 2017 Share Posted April 18, 2017 (edited) Finally got to update unRAID and reinstall this plugin. I'm using bait shares and have them set to be hidden, but when I connect to the server via smb the bait shares are still visible. Not sure if I'm misunderstanding the settings or if there's something else required? Edited April 18, 2017 by wgstarks Quote Link to comment
Squid Posted April 18, 2017 Author Share Posted April 18, 2017 You can only hide the files within, not the shares. If the shares were hidden, any attack vector would need to know the exact share name in order to attack it (which is beyond unlikely). Hidden files on the other hand are visible to any attack.... I name my bait shares zzz-SquidBait so that they are nicely out of the way and not in my face.... Quote Link to comment
wgstarks Posted April 18, 2017 Share Posted April 18, 2017 12 minutes ago, Squid said: I name my bait shares zzz-SquidBait so that they are nicely out of the way and not in my face.... Thanks. This should work almost as well. Quote Link to comment
FreeMan Posted April 22, 2017 Share Posted April 22, 2017 I don't think this is RP's fault, but it was my first thought... I'm trying to write some files to a directory on my server and it's reporting that it can't because it's a "read-only file system". Of course RP was my immediate thought, however, RP is showing the lock icon with the text " Click The Lock To Immediately Set SMB/AFP to Be Read-Only" immediately under it, so it doesn't look like it's been triggered. There is nothing at all in the Ransomeware Log, and the Attack History shows the one accidental "attack" I did on myself back in January. (Proved the system works! :D) Every single one of my shares, except flash, seem to be locked, but I don't know why. I don't see anything in the share settings or SMB settings that would have disabled this. As I said, it doesn't look like it's RP's fault, but I figured you'd have a good idea what may have happened. I'm happy to post this as a general support issue if you'd prefer, Squid. Diagnostics attached. nas-diagnostics-20170422-1541.zip Quote Link to comment
trurl Posted April 22, 2017 Share Posted April 22, 2017 30 minutes ago, FreeMan said: I'm trying to write some files to a directory on my server and it's reporting that it can't because it's a "read-only file system". Check filesytem on cache disk Quote Link to comment
FreeMan Posted April 22, 2017 Share Posted April 22, 2017 (edited) 8 minutes ago, trurl said: Check filesytem on cache disk Ding! Ding! Ding! You win the prize, Cache drive says "Read Only Mode. Restore normal settings via <a href='/Settings/Ransomware'>Ransomware Protection Settings</a>" However, I don't see anything in RP to enable it. I tried disabling RP then reenabling, but the cache share is still RO. I guess I could try locking then unlocking via RP, but, if I recall correctly, unlock resets things to they way they were, not the way I want them to be. ACTUALLY, all the disks are mounted RO, not the shares. Edited April 22, 2017 by FreeMan Quote Link to comment
JorgeB Posted April 22, 2017 Share Posted April 22, 2017 Your cache disk has been acting up, probably because of the pending sector. Quote Link to comment
FreeMan Posted April 22, 2017 Share Posted April 22, 2017 (edited) 32 minutes ago, johnnie.black said: Your cache disk has been acting up, probably because of the pending sector. Yes, I see that now. I've started a new thread in the General Support section instead of cluttering up Squid's RP thread any more. Thanks, all! Edited April 22, 2017 by FreeMan link to further support thread Quote Link to comment
billium28 Posted April 28, 2017 Share Posted April 28, 2017 (edited) Hello, I am a brand new Unraid user and I was glad to see an antiransomware plugin. A few years ago my wife was attacked and we lost all her photos. We had never heard of this attack before, it was before it became well known, so I deleted everything and never saw a payment request. Anyway one of the reasons I built this system is to safeguard the at home data. My question is, in Windows 10 I have my Unraid server set up with a few mapped drive letters for the big folders. I now see 15 Squidbait shares there and I must admit it is sort of too much for me to keep. I like a cleanish folder structure and these just make it so hard to find the few shares I do need to access. Is there a way to completely hide the Squidbait shares from Windows, I assume SMB access? If I disable the bait shares and keep the bait files would this lower my security? I know I can hide them but I read in a post here by hiding them they become invisible to an attacker and therefore useless. I also have the selection for Hide Bait Files to Yes but they are not hidden anywhere. I just saw you sort of answered my question up thread just a few days ago but I won't edit this if it asks a different question. Thank you. Edited April 28, 2017 by billium28 Quote Link to comment
trurl Posted April 28, 2017 Share Posted April 28, 2017 10 hours ago, billium28 said: in Windows 10 I have my Unraid server set up with a few mapped drive letters for the big folders. Not really pertinent to this thread or your question, but mapping drives is a security risk itself, and for more than just ransomware. Malware doesn't even have to be network aware to attack mapped drives. Most applications can browse the network these days. I never map drives but can easily open and use files on the network. 1 Quote Link to comment
Squid Posted April 28, 2017 Author Share Posted April 28, 2017 11 hours ago, billium28 said: Hello, I am a brand new Unraid user and I was glad to see an antiransomware plugin. A few years ago my wife was attacked and we lost all her photos. We had never heard of this attack before, it was before it became well known, so I deleted everything and never saw a payment request. Anyway one of the reasons I built this system is to safeguard the at home data. My question is, in Windows 10 I have my Unraid server set up with a few mapped drive letters for the big folders. I now see 15 Squidbait shares there and I must admit it is sort of too much for me to keep. I like a cleanish folder structure and these just make it so hard to find the few shares I do need to access. Is there a way to completely hide the Squidbait shares from Windows, I assume SMB access? If I disable the bait shares and keep the bait files would this lower my security? I know I can hide them but I read in a post here by hiding them they become invisible to an attacker and therefore useless. I also have the selection for Hide Bait Files to Yes but they are not hidden anywhere. I just saw you sort of answered my question up thread just a few days ago but I won't edit this if it asks a different question. Thank you. Using both bait shares and the bait files is ideal. However, when using the bait files (within your existing shares), then the odds of false trips increases significantly. (Personally, I only use the bait shares. But, I've set the system to call them zzz-SquidBait so that there're at the bottom of any list and for the most part I don't even notice that they are there) Hidden Bait Files won't lower the security. However, hidden bait shares will effectively disable them, so I don't allow you to do that (at least easily) Quote Link to comment
billium28 Posted May 7, 2017 Share Posted May 7, 2017 On 4/28/2017 at 9:24 AM, Squid said: Using both bait shares and the bait files is ideal. However, when using the bait files (within your existing shares), then the odds of false trips increases significantly. (Personally, I only use the bait shares. But, I've set the system to call them zzz-SquidBait so that there're at the bottom of any list and for the most part I don't even notice that they are there) Hidden Bait Files won't lower the security. However, hidden bait shares will effectively disable them, so I don't allow you to do that (at least easily) Thank you for your reply, I will try renaming them and see how it looks. I will keep the bait files as precaution. Quote Link to comment
billium28 Posted May 7, 2017 Share Posted May 7, 2017 On 4/28/2017 at 9:09 AM, trurl said: Not really pertinent to this thread or your question, but mapping drives is a security risk itself, and for more than just ransomware. Malware doesn't even have to be network aware to attack mapped drives. Most applications can browse the network these days. I never map drives but can easily open and use files on the network. I never thought of that so that works great as an alternative. I want this to be very secure so I will reset the drives now, thanks. Quote Link to comment
-Daedalus Posted May 13, 2017 Share Posted May 13, 2017 On 2017-4-18 at 1:31 PM, Squid said: You can only hide the files within, not the shares. If the shares were hidden, any attack vector would need to know the exact share name in order to attack it (which is beyond unlikely). Hidden files on the other hand are visible to any attack.... I name my bait shares zzz-SquidBait so that they are nicely out of the way and not in my face.... Just so I'm completely understanding things: Does this not negate the benefit of having them randomly dispersed throughout your array? If they're at the end, is the ransomware not more likely to hit legit files first, assuming a-z progression? Also: Massive thanks in general for creating this, especially given that worm that's on the loose at the moment. This one is Windows-only, but you never know. Quote Link to comment
Squid Posted May 13, 2017 Author Share Posted May 13, 2017 Just so I'm completely understanding things: Does this not negate the benefit of having them randomly dispersed throughout your array? If they're at the end, is the ransomware not more likely to hit legit files first, assuming a-z progression? Also: Massive thanks in general for creating this, especially given that worm that's on the loose at the moment. This one is Windows-only, but you never know.Depends. Unless you're willing to purposely infect yourself to see what order it tries to infect. (but the paper I read said it was random) the bait shares concept tries to overwhelm the attack by giving it a million possible targets versus the couple thousand you may have of legit files.Any security system is a trade-off between convenience and security. For myself not including the regular shares is a trade off I'm willing to make for the increased convenienceSent from my LG-D852 using Tapatalk Quote Link to comment
-Daedalus Posted May 13, 2017 Share Posted May 13, 2017 Point taken. But if infection is random, surely you'd be better served by simply upping the number of bait shares, or increasing the number of files per share give the same protection than randomly naming shares? Eg, on a 10 share system: 50 zz-prefixed shares would offer better protection vs. 30 randomly named ones. Quote Link to comment
Squid Posted May 13, 2017 Author Share Posted May 13, 2017 (edited) True enough, but I was also hitting file system limits during development on how many links per file I could do. And I needed to use links to keep the actual disk usage down to ~1Meg. The chosen # of shares and files within won't return an error on any filesystem that unRaid supports, and I didn't want to get myself into a support nightmare with why doesn't this work on my system (and unRaid's fuse filesystem further complicates things since a linked file may or may not be on the same filesystem as the original.) Edited May 13, 2017 by Squid Quote Link to comment
-Daedalus Posted May 14, 2017 Share Posted May 14, 2017 Point taken. Just asking for my own understanding, in terms of probability of detection, etc. Quote Link to comment
CHBMB Posted May 14, 2017 Share Posted May 14, 2017 Could do with this plugin adapting for the NHS @Squid http://www.bbc.co.uk/news/health-39899646 Quote Link to comment
Squid Posted May 14, 2017 Author Share Posted May 14, 2017 Could do with this plugin adapting for the NHS [mention=10290]Squid[/mention] http://www.bbc.co.uk/news/health-39899646There's a price premium for government. Sent from my LG-D852 using Tapatalk Quote Link to comment
kizer Posted May 15, 2017 Share Posted May 15, 2017 So glad I re-installed this. Quote Link to comment
squirrellydw Posted May 15, 2017 Share Posted May 15, 2017 @Squid can you tell me how I should set this up, what options I should use? Thanks Quote Link to comment
Squid Posted May 15, 2017 Author Share Posted May 15, 2017 29 minutes ago, squirrellydw said: @Squid can you tell me how I should set this up, what options I should use? Thanks Myself, I only use bait shares. Setup as a prefix of zzz-Squidbait placed altogether in the list. And I don't recreate on stop / start. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.