[Plugin] Ransomware Protection - Deprecated

Squid

By Squid
in Plugin Support

Recommended Posts

Squid Grand Master

Squid

Posted
  • Author
Posted

You will always be able to delete via MC as that's direct access rather than SMB.  What you're describing is read only access to the shares.  Just go to the plugin page and a popup will ask if you want to restore SMB permissions.

There is no real way to distinguish how or what caused the trip.  A docker container deleting the bait is the same as doing it from the command line is the same as doing it over SMB.

 

Prior to v2016.11.11, there was an implementation error (read that as I didn't consider all possibilities) where once the program tripped, a subsequent trip (the subsequent trip wouldn't happen via SMB, but either from the command line, docker app, etc) that would then trash the backup copies of the share configs.

 

This double trip situation basically resulted in the backup copies of the share configs being overwritten by the read-only settings, so attempting to restore the normal access would just restore a backup of the readonly settings so you're back where you started.

 

After 2016.11.11, a check is made to see if the backup copies exist prior to overwriting them, and if they do, then the copy is skipped.

 

Since this has been going on for ~a week, the time frame is about right for when the issue started vs when it was fixed.

 

The only solution at this point is to click the button to restore normal permissions (which won't do anything obvious, but it will get the program back in a state that you can work with) - from your posted pic it already is in normal mode - and then change the share permissions back manually to what they should be.

 

 

Ultimately, I don't advise tossing bait files into every folder, as the chances for innocent trips skyrockets - Just use root of all shares and use the bait shares option.

 

Also, any shares which are manipulated by other apps (eg: Downloads) should always be excluded as the programs running have no concept that this plugin is monitoring the files within.

 

 

 

Link to comment
  • Replies 449
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Squid
Squid

Ransomware Protection   This plugin is a specialized type of anti-virus designed to detect if a ransomware malware attack is happening on your server, and upon detection either take the se

CHBMB
CHBMB

@Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

d.ohlin
d.ohlin

I know this thread is positively ancient, but I'm one of the apparently rare few still running this plugin on both my Unraid boxes running v6.11...and just testing it again now due to all the people s

Posted Images

wingchun222 Noob

wingchun222

Posted
Posted

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

 

I think I uninstalled it with that hope then thought it over and decided it might be a plugin that is better to have installed than not so I reinstalled it and set it to put bait fiales only in root which seems to be working fine so far other than my boo boo from the initial install and setting it to put squid files in all directories without realizing what I was doing.  Thank you very much for your help by the way!!

Link to comment
Squid Grand Master

Squid

Posted
  • Author
Posted

If the share does not state Read-only mode, then its probably a permissions issue within the Downloads folder.  I've been plagued by it recently on ~50% of my DLs via NZBGet for some reason.

 

I just do

newperms /mnt/user/Downloads

to fix it up.

 

I tried running this via ssh but it doesnt seem to help. 

 

Possible bug.  Gotta wait a few hours before I can check it out.  Everything's restored itself back to read-write, with the exception of the disk shares. 

 

If you access the appdata share via the share instead of first navigating to the cache drive over the network you should be ok.  But you're going to have to manually reset the disk share permissions for each of the disks.  No real way around it  :(

Link to comment
Squid Grand Master

Squid

Posted
  • Author
Posted

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

 

I think I uninstalled it with that hope then thought it over and decided it might be a plugin that is better to have installed than not so I reinstalled it and set it to put bait fiales only in root which seems to be working fine so far other than my boo boo from the initial install and setting it to put squid files in all directories without realizing what I was doing.  Thank you very much for your help by the way!!

The uninstall thing is something that I spent some time go over in my head about what to do.  Did I want to restore normal permissions or leave it in the tripped state.

 

I ultimately decided that due to the nature of the plugin to leave it in the tripped state so that someone wouldn't merely uninstall the plugin in case of a legitimate attack and didn't understand what was going on.

 

Unfortunately, what that means is that in the case of a reinstall without first fixing those share settings is that the plugin assumes that what is set is what its supposed to be.  I'll change the uninstall routine to restore the permissions.

Link to comment
wingchun222 Noob

wingchun222

Posted
Posted

Is that what you are after my good person? :)

 

There is no attack history present.  Did you delete the attack log?  Did you uninstall and reinstall the plugin hoping that would fix it?

 

Also post a screen shot of the shares tab

 

I think I uninstalled it with that hope then thought it over and decided it might be a plugin that is better to have installed than not so I reinstalled it and set it to put bait fiales only in root which seems to be working fine so far other than my boo boo from the initial install and setting it to put squid files in all directories without realizing what I was doing.  Thank you very much for your help by the way!!

The uninstall thing is something that I spent some time go over in my head about what to do.  Did I want to restore normal permissions or leave it in the tripped state.

 

I ultimately decided that due to the nature of the plugin to leave it in the tripped state so that someone wouldn't merely uninstall the plugin in case of a legitimate attack and didn't understand what was going on.

 

Unfortunately, what that means is that in the case of a reinstall without first fixing those share settings is that the plugin assumes that what is set is what its supposed to be.  I'll change the uninstall routine to restore the permissions.

 

That makes complete sense in the event of a real attack and this is totally my fault for being an idiot obviously lol.

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

Link to comment
Squid Grand Master

Squid

Posted
  • Author
Posted

... this is totally my fault for being an idiot obviously lol.

Due to the amount of times that I have to cause trips during development, my wife has now threatened me with divorce if I do any development on this plugin while she's still awake  :o

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

In the webGUI, go to shares, Disk Shares, click on each disk in turn and change the settings to whatever they were (or you think they were).  If you don't remember ever changing them in the first place, then they were probably set to public (RP sets them to secure if they were previously public).  Also delete the comment line so that its easy to see when RP changes it
Link to comment
wingchun222 Noob

wingchun222

Posted
Posted

... this is totally my fault for being an idiot obviously lol.

Due to the amount of times that I have to cause trips during development, my wife has now threatened me with divorce if I do any development on this plugin while she's still awake  :o

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

In the webGUI, go to shares, Disk Shares, click on each disk in turn and change the settings to whatever they were (or you think they were).  If you don't remember ever changing them in the first place, then they were probably set to public (RP sets them to secure if they were previously public).  Also delete the comment line so that its easy to see when RP changes it

 

I've set everything back to public as I had never changed them from their original defaults.  How do I delete the comment line?

 

Link to comment
wingchun222 Noob

wingchun222

Posted
Posted

... this is totally my fault for being an idiot obviously lol.

Due to the amount of times that I have to cause trips during development, my wife has now threatened me with divorce if I do any development on this plugin while she's still awake  :o

 

I dont mind restoring the share permissions for each disk but I am unsure how to go about doing so.  I am a linux newb and always flying by the seat of my pants when it comes to these unraid bugs that I cause myself which forces to learn some new linux ;)

In the webGUI, go to shares, Disk Shares, click on each disk in turn and change the settings to whatever they were (or you think they were).  If you don't remember ever changing them in the first place, then they were probably set to public (RP sets them to secure if they were previously public).  Also delete the comment line so that its easy to see when RP changes it

 

I've set everything back to public as I had never changed them from their original defaults.  How do I delete the comment line?

 

I figured it out!!

Link to comment
Squid Grand Master

Squid

Posted
  • Author
Posted

Found a bug - when you use use 'delete all backups' from CA backup it deletes the bait files as well triggering an attack alert

You are correct.  RP is placing bait files within the root of the backup share when in fact it shouldn't be (but it doesn't traverse any sub folders within that which is correct).  Will fix later today
Link to comment
DZMM Proficient

DZMM

Posted
Posted

Also clashing with Fix Common Problems:

 

 

The following directories exist with similar names, only differing by the 'case' which will play havoc with Windows / SMB access. Windows does NOT support folder names only differing by their case and strange results will happen should you attempt to manipulate the folders or files

/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/there
/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/There
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/with
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/With
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/they
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/They

Link to comment
Squid Grand Master

Squid

Posted
  • Author
Posted

Also clashing with Fix Common Problems:

 

 

The following directories exist with similar names, only differing by the 'case' which will play havoc with Windows / SMB access. Windows does NOT support folder names only differing by their case and strange results will happen should you attempt to manipulate the folders or files

/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/there
/mnt/user/Zonejunk-around/able_wife/within_place_were/there_dreadful/comfortable_ring_coach/looked_they/outside_over/coming_faint/There
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/with
/mnt/user/Zonejunk-around/wakened_that_where/gleaming_place/Huns_sign/amongst_shaggy/stuffed_wife_grew/however_smiled/drew_most_with/door_them_dish/made_companions/passed_come/With
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/they
/mnt/user/Zonejunk-blessing/looking_they_crazy/reared_dish_other/darkness_cart_Carpathians/leaves_darkness_leather/They

Ah luck of the draw on the names it chose

 

Sent from my LG-D852 using Tapatalk

 

 

Link to comment
bjoernwk Noob

bjoernwk

Posted
Posted

Hi to all,

 

man, what great piece of software. Thanks a lot!

 

But, maybe someone could help me. I installed the plugin to both of my servers. Backup-machine worked absolutely smooth. Main machine as well.

 

One issue, which may be not related to the installation of the plug-in.  I tried to reach my server using its IP. Usual for me, I´m always using the IP. But the server ist unreachable. Do I use its name, tadaa, server shows me its shares in windows explorer.

 

Any ideas are welcome.

 

Thanks a lot!

 

UPDATE: occured first time after installation of the plug-in. I deinstalled it hoping that might fix the issue, but wasn´t.

 

Greetings from Germany!

heisenberg-diagnostics-20161129-1356.zip

Link to comment
trurl Grand Master

trurl

Posted
Posted

GUI is reached via IP without any problems

This seems to be the opposite of what you said before:

I tried to reach my server using its IP. Usual for me, I´m always using the IP. But the server ist unreachable. Do I use its name, tadaa, server shows me its shares in windows explorer.

Which is it?
Link to comment
bjoernwk Noob

bjoernwk

Posted
Posted

trurl, I am very sorry if I told bull...!

 

The Problem exists only when I try to access my share via Windows Explorer.

 

There was no Problem reaching the GUI. I can easily type in the IP in Firefox and it Shows my GUI.

 

But, let´s say I try right click and make a new shortcut in Windows. Typing \\192.168.10.100 and it says, the adress doesn´t exist.

 

But, if I type \\Heisenberg everything works well and the Shares on Heisenberg are showing. IP is checked and correct.

 

I didn´t wanted to make any confusion. Sorry for that.

 

 

Link to comment
kilobit Rookie

kilobit

Posted
Posted

I am having trouble loading the gui.  When i goto the plugins section and selct ransomware the url is /tower/Settings/ransomware  the unraid banner loads but nothing else. 

I am trying to delete and user share and wanted to disable it from that share beforehand.

Am i missing something?

Link to comment
Squid Grand Master

Squid

Posted
  • Author
Posted

I am having trouble loading the gui.  When i goto the plugins section and selct ransomware the url is /tower/Settings/ransomware  the unraid banner loads but nothing else. 

I am trying to delete and user share and wanted to disable it from that share beforehand.

Am i missing something?

Not sure.  Can you get to it from the Settings (User Utilities) tab

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing