Squid Posted October 12, 2017 Author Share Posted October 12, 2017 Sorry. I tested that the day after your post. And on both of my systems with Hide Dot Files enabled, Windows doesn't show the files unless I have it display hidden files. Not quite sure whether its your Windows messing up or something in your smb-extra.cfg / smb.cfg files. Quote Link to comment
geonerdist Posted October 14, 2017 Share Posted October 14, 2017 On 10/12/2017 at 5:37 AM, Squid said: Sorry. I tested that the day after your post. And on both of my systems with Hide Dot Files enabled, Windows doesn't show the files unless I have it display hidden files. Not quite sure whether its your Windows messing up or something in your smb-extra.cfg / smb.cfg files. Thanks for checking. My smb-extra.cfg is empty. I cannot seem to locate smb.cfg anywhere under /boot. Quote Link to comment
be4con Posted January 1, 2018 Share Posted January 1, 2018 I installed this plugin a few days ago and I'm having tons of what appear to be false positives. I can't quite understand why and hope someone can help. Last night for example I had more than a dozen attacks with the following or similar log: Jan 1 03:18:09 Tower root: ransomware protection:Jan 1 03:18:09 Tower root: ransomware protection:Service pid Machine Connected at Encryption SigningJan 1 03:18:09 Tower root: ransomware protection:---------------------------------------------------------------------------------------------Jan 1 03:18:09 Tower root: ransomware protection:Jan 1 03:18:09 Tower root: ransomware protection:No locked filesJan 1 03:18:09 Tower root: ransomware protection:Jan 1 03:18:09 Tower root: ransomware protection:Gathering Inventory Of Old Bait FilesJan 1 03:18:09 Tower root: ransomware protection:Found 40 previous bait files.Jan 1 03:18:09 Tower root: ransomware protection:Starting Background Monitoring Of Bait FilesJan 1 03:18:49 Tower root: ransomware protection:Deleted 29 bait sharesJan 1 03:18:49 Tower root: ransomware protection:Creating Folder StructureJan 1 03:18:49 Tower root: ransomware protection:Double attack detected. Possible misconfigured settings allowing a share (downloads?) to be deleted locallyJan 1 03:18:49 Tower root: ransomware protection:..Jan 1 03:18:49 Tower root: ransomware protection:Possible Ransomware attack detected on file /mnt/user/suppose-Squidbait/.SquidBait-DO_NOT_DELETE.docxJan 1 03:18:49 Tower root: ransomware protection:SMB Status:Jan 1 03:18:49 Tower root: ransomware protection:Jan 1 03:18:49 Tower root: ransomware protection:Samba version 4.5.10Jan 1 03:18:49 Tower root: ransomware protection:PID Username Group Machine Protocol Version Encryption Signing I'm confident there is no malware on my machine, or network, so I'm not sure how to identify what is the trigger here or what settings to change to avoid these false positives. Can anyone help Quote Link to comment
Darksurf Posted January 1, 2018 Share Posted January 1, 2018 odd. you can go to the plugin settings, stop the service and click delete all bait, and start the service so it can generate new bait. See if that fixes your issue. the only way there should be false positives is if the bait is going missing. I also don't use bait shares, just bait files. Quote Link to comment
Squid Posted January 1, 2018 Author Share Posted January 1, 2018 14 minutes ago, be4con said: dozen attacks Something on your network is modifying/deleting those file(s) In the actual attack history, there may be clues as to what IP address is triggering it. It is a "double attack" which means that many mods happened in a very quick succession so its probably benign and could very well be a misconfigured app on your server or something like that. Question though. Is mover running when that took place? 1 Quote Link to comment
be4con Posted January 4, 2018 Share Posted January 4, 2018 (edited) What is mover? I guess as I'm asking that question the answer is no I think the issue is to do with incomplete deletion of previous bait files, if that's possible. I originally had the plugin set to place bait files in all folders but found that was causing me issues. So I deleted previous bait files and then set to place in root only. It looks like the deletion of existing bait files didn't complete before a server reboot, and then it looks like it picked up again on restart and that triggered the attack warnings. Does that sound possible? After ensuring all files had finished deleting it seems the false positive stopped. I do have another problem though. Suddenly many of my files have changed permissions and I am being denied the access to delete or modify them. This seems to have happened since I installed the plugin. Any idea how I get my permissions back for 'nobody'? EDIT - it looks like this Ransomware plugin is misbehaving. After posting above, I ran fix permissions (docker safe) and still couldn't modify the files. So, I checked my shares (which I should have done previously I guess) and Unraid reports that all my shares are in read only mode due to the Ransomware plugin: However when I go to the plugin settings it reports that the SMB is not in read only mode. So I'm stuck with files in read only due to this plugin but can't correct that because the plugin claims they aren't. Help! If I uninstall the plugin will my files return to RW? Is there anything else I can do? Edited January 4, 2018 by be4con Quote Link to comment
Darksurf Posted January 6, 2018 Share Posted January 6, 2018 When you write files and have a cache drive, the machine will offload those writes to the SSD because its faster, then the mover will force those files off the SSD/cache drive onto the HDD storage. the mover runs on a cron job IIRC to automatically move files from cache to long term storage. Sometimes the system will just add a label to the HDD or the share that they are read only, sadly if you fix the problem and it goes back to R/W that label can still remain. you can manually go into the setting of the drive or share and remove that label. its only meant for you to notice in case of a problem. I use the plugin and I have no issues. I've been using it for a long time now. Plugin works like a boss. Make sure something or someone isn't "organizing" your files by deleting or moving ANY bait files even if they are visible. this will trigger the plugin to go on lockdown. Quote Link to comment
be4con Posted January 8, 2018 Share Posted January 8, 2018 On 1/6/2018 at 6:06 AM, Darksurf said: When you write files and have a cache drive, the machine will offload those writes to the SSD because its faster, then the mover will force those files off the SSD/cache drive onto the HDD storage. the mover runs on a cron job IIRC to automatically move files from cache to long term storage. Sometimes the system will just add a label to the HDD or the share that they are read only, sadly if you fix the problem and it goes back to R/W that label can still remain. you can manually go into the setting of the drive or share and remove that label. its only meant for you to notice in case of a problem. I use the plugin and I have no issues. I've been using it for a long time now. Plugin works like a boss. Make sure something or someone isn't "organizing" your files by deleting or moving ANY bait files even if they are visible. this will trigger the plugin to go on lockdown. Thanks, but that isn't what happened. Whilst I was waiting for a response I did work out that I could manually set each shares back to R/W so I shouldn't have panicked, but the plugin had left the both the comment and set all the shares to read only. That persisted regardless of what I did with the plugin. I resolved it by setting the shares manually back to R/W and deleting the comments. I then uninstalled the plugin. There is no question that, in this respect, it wasn't behaving as it should do on my server. I have also found that if you set the plugin to recreate bait files/shares on restart then that seems to trigger false +ves - it is the plugin deleting the previous shares that seems to trigger the alerts. Again, I doubt this is what is supposed to happen so it may just be me who is seeing this. If I change the option to use existing shares/files then those false +ves stop. in addition to this issue with persistent 'read only' status it is also not hiding the bait shares or bait files despite both being selected. That's not a biggie but it does make the network tree look a mess in Windows with all the bait shares showing. How do others deal with that? I really want to love this plugin, and I totally appreciate the effort that went into creating it. I have just reinstalled it so we will see if it behaves better on my server this time. Quote Link to comment
Darksurf Posted January 8, 2018 Share Posted January 8, 2018 you could try just setting it to use bait files instead of also using bait shares and see if the issue still occurs. I currently use the bait files option with the bait shares option disabled. Quote Link to comment
Ryonez Posted January 9, 2018 Share Posted January 9, 2018 Is this plugin is out of date? The images at the start of this forum thread and in the plugin itself don't resolve for me. Also the plugin says it requires the inotify plugin from nerd tools. Nerd tools doesn't have this available to install. Quote Link to comment
Squid Posted January 9, 2018 Author Share Posted January 9, 2018 6 hours ago, Ryonez said: Also the plugin says it requires the inotify plugin from nerd tools. Nerd tools doesn't have this available to install. inotify has been included in unRaid for a bit now The images being like that are because of changes that photobucket made ~ 6 months ago. You'll see images like that scattered across the web Quote Link to comment
Ryonez Posted January 9, 2018 Share Posted January 9, 2018 Quote The images being like that are because of changes that photobucket made ~ 6 months ago. You'll see images like that scattered across the web I know, I do see images like that around. Which is why my initial impression is this plugin is out of date. Especially with it asking for things it doesn't need if it doesn't really need them. Will you be updating the plugin at any point? Does it still work? By the way I've been using a few of your plugins, you've done some damn fine work. Thank you for your work! Quote Link to comment
JTok Posted February 22, 2018 Share Posted February 22, 2018 (edited) I have been reading about how this plugin works, and I have an alternative method that might work as well (rumor has it that @Squid likes feature creep). Hopefully I didn't miss a post in this thread where someone already talked about this method; I tired to read through the whole thing before posting. I have some experience detecting ransomware in Windows environments, and we use a slightly different method to detect it on file shares that could be appealing to some here. Instead of using bait files we just monitor files against a list of known extensions and file-names used by ransomware, and use a white-list to override it for application specific extensions that we might have in our environment. The pros: - You know when I file gets modified without relying on the ransomware to pick your bait files/shares first - You don't have bait files/shares The cons: - One of your actual files has to be encrypted before you know it's happening (though if a bait file is not picked first, you may still be in the same boat or worse) - You are relying on a list to be kept up-to-date I would love to now offer you some code and a more concrete explanation of how I think this could be implemented, but it has been some time since I had to do anything beyond the most basic scripting in Linux. I'm also assuming that this is possible, and not a burden on the system; I just don't have enough experience to guess at at this point. Widows reference materials (the first link maintains a list of known bad files/extensions here):https://fsrm.experiant.ca/ https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early Another alternative is some kind of behavior monitoring (i.e. watching for encryption), but I suspect that is far more difficult to implement. (We use this as well, but pay handsomely for the feature.) Regardless, thank you for the plugin (and all the others). -JTok Quick Edit: Forgot to mention that I've seen fail2ban be used for something similar by reviewing samba logs. The original is in German, so here is the google translate link and the original. Not sure it makes sense to use in this case, but hey, I'm told that knowledge is power. Translated:https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fartikel%2FErpressungs-Trojaner-wie-Locky-aussperren-3120956.html&edit-text Original:https://www.heise.de/security/artikel/Erpressungs-Trojaner-wie-Locky-aussperren-3120956.html Edited February 22, 2018 by JTok forgot to include fail2ban method Quote Link to comment
tazire Posted February 23, 2018 Share Posted February 23, 2018 (edited) having a minor issue. I was tidying up one of my shares of some junk files and in a mass delete set off the ransomware protection. Now all is fine that way... worked as advertised but i cant access the server at all from my pc now. I have no issue getting into it from my phone but even after resetting the SMB from read only I cant access it at all. Prob something simple but I just couldnt see it. EDIT A server reboot solved it. can disregard Edited February 23, 2018 by tazire Quote Link to comment
tazire Posted February 24, 2018 Share Posted February 24, 2018 ok well... as it turns out im still having issues since this accidental trigger. I still cant access certain shares since.... this is so strange. I cant figure out where to fix this issue... Quote Link to comment
wgstarks Posted February 24, 2018 Share Posted February 24, 2018 Have you tried the instructions from the users manual? settings>Ransomware Protection (scroll to the bottom). The Lock Icon At any time, if you click the lock icon, your server will immediately go into read-only mode where all network shares through either SMB or AFP will be set to read-only mode. Useful if you want to manually trigger read-only for one reason or another. After read-only has been set either through clicking the icon, or via detected ransomware attack, the lock will be replaced by a different link which will allow you to restore read/write access. Quote Link to comment
Squid Posted February 25, 2018 Author Share Posted February 25, 2018 Just discovered that not everything is working 100% correct on 6.4 Working through it. A reboot will probably fix the can't access shares after trigger thing. Or alternatively, settings - SMB settings, disable then renable it 1 Quote Link to comment
local.bin Posted March 15, 2018 Share Posted March 15, 2018 (edited) Just updated to Unraid 6.5 and the web gui has started timing out after a successful update and restart. I am getting a number of these messages in my log and wondered if the plugin is busy doing something that is causing the gui to timeout? Quote Mar 15 12:56:28 Tower root: ransomware protection:Waiting For deletion of bait files to complete Mar 15 12:56:58 Tower root: ransomware protection:Waiting For deletion of bait files to complete Mar 15 12:57:28 Tower root: ransomware protection:Waiting For deletion of bait files to complete Is this normal and I should just leave it to complete, or is the plugin misbehaving? I am guessing there are a dozen of so of these messages .. Edited March 15, 2018 by local.bin Quote Link to comment
Squid Posted March 15, 2018 Author Share Posted March 15, 2018 It can take a bit... Leave it. Usually completes on my system within 10 minutes. Quote Link to comment
local.bin Posted March 15, 2018 Share Posted March 15, 2018 2 minutes ago, Squid said: It can take a bit... Leave it. Usually completes on my system within 10 minutes. Ok sure. It's been going for nearly an hour now and its a Xeon system, so no slouch.. Quote Link to comment
trurl Posted March 15, 2018 Share Posted March 15, 2018 36 minutes ago, local.bin said: Ok sure. It's been going for nearly an hour now and its a Xeon system, so no slouch.. Maybe you're having disk I/O problems. Anything else in the syslog? Or maybe you have a ridiculous number of bait files? Did you have it putting bait in plex appdata or something? Quote Link to comment
local.bin Posted March 15, 2018 Share Posted March 15, 2018 1 minute ago, trurl said: Maybe your having disk I/O problems. Anything else in the syslog? Or maybe you have a ridiculous number of bait files? Did you have it putting bait in plex appdata or something? Nothing in the logs no and I am not sure about plex; I don't think so, but have gotten back to the gui, but things are sluggish, so I have selected a stop to try and reboot. If I can get the gui back fully I can check further, i guess. Quote Link to comment
tr0910 Posted April 11, 2018 Share Posted April 11, 2018 On 2/26/2018 at 2:48 AM, Squid said: Just discovered that not everything is working 100% correct on 6.4 Working through it. A reboot will probably fix the can't access shares after trigger thing. Or alternatively, settings - SMB settings, disable then renable it This issue seems to persist on 6.5 too. Once I trigger a false alarm with the plugin by deleting a file in the monitored shares, the server shuts SMB down and resetting the plugin does not reset the SMB access. It is totally gone and only a stop of the array and a restart of the array restores access. I seem to recall the SMB shares would go to read only before on 6.3 They didn't completely go off-line. I am only using bait shares and not using bait files. Quote Link to comment
gsd2012 Posted May 4, 2018 Share Posted May 4, 2018 Has anyone figured out why it triggers an attack while copying files over to the shares? This just started to happen about end of Feb and to fix you have to reboot the server. I was having no issue with it before then and it has worked great up until then. No major changes that I know on my part unless an update changed it. Just curious I love the plugin but if it keeps doing this I am going to have to disable it since I load stuff to it from SMB connect often. Thanks ahead if someone has figured it out. Quote Link to comment
jj_uk Posted June 10, 2018 Share Posted June 10, 2018 Fix common problems is telling me that this plugin is no longer compatable and needs to be uninstalled. Plugin v2018.01.09. Quote newransomware.bait.plg Not Compatible with unRaid version 6.5.2 The author (or moderators of Community Applications) of the plugin template (https://raw.githubusercontent.com/Squidly271/ransomware.bait/master/plugins/newransomware.bait.plg) has specified that this plugin is incompatible with your version of unRaid (6.5.2). You should uninstall the plugin here: Minimum OS Version: 6.2.1 Maximum OS Version: 6.4.1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.