MrLeek Posted May 24, 2018 Share Posted May 24, 2018 Checking some stuff this evening and I noticed that the ransomware plugin had tripped, turning off SMB in the process. Fuller details below: There's a slight confusion with the timestamps. Either this happened at 0849 UTC (in which case I was in work and my iMac was in hibernation) or 0749 UTC (when I was using my iMac for a few mins before going to work). Based on looking at the log data I've just saved off I believe it's the former timestamps Only machines switched on was an iMac and a MacBook. Scans haven't found anything on the iMac (and I'll be scanning the MacBook in a moment). There are (well, there were) three Windows-based VMs on the server. They were all powered off at the time (and had been for several days - they only get used in a lab environment). They've all been deleted for safety and can be rebuild from scratch when I next need them. All shares require a username/password to gain write access. The flash drive itself has no write permissions enabled I'm beginning to think this could be a false positive.....but since I'm in no rush to assume that's the case I'd though I'd ask the community for any thoughts/areas to investigate. Quote Time Of Attack:Thu, 24 May 2018 08:49:55 +0000 Attacked File: /mnt/user/able-galahad/.DS_Store Samba version 4.7.7 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 31553 nobody users fe80::18e0:fb1d:1a2e:7d46 (ipv6:fe80::18e0:fb1d:1a2e:7d46:49589) SMB3_02 - - Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- able-galahad 31553 fe80::18e0:fb1d:1a2e:7d46 Thu May 24 08:49:50 2018 UTC - - IPC$ 31553 fe80::18e0:fb1d:1a2e:7d46 Thu May 24 08:49:54 2018 UTC - - cache 31553 fe80::18e0:fb1d:1a2e:7d46 Thu May 24 08:48:29 2018 UTC - - were-galahad 31553 fe80::18e0:fb1d:1a2e:7d46 Thu May 24 08:49:03 2018 UTC - - Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 31553 99 DENY_NONE 0x100081 RDONLY NONE /mnt/cache . Thu May 24 08:48:44 2018 Quote Link to comment
Squid Posted May 24, 2018 Share Posted May 24, 2018 Since it was .DS_Store, I think its a false positive. Any modification to bait shares result in a trigger. To get the system back functioning, you've got to hit that unlock button, and then also stop/start the array. Quote Link to comment
MrLeek Posted May 25, 2018 Author Share Posted May 25, 2018 Yeah thanks Squid. It's giving me the opportunity to review/consider how SMB is getting used on my server - one of my side projects is to better enable stored music instead of relying on an SMB mount. Virtually everything else is being handled by dockers... Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.