[Script] binhex - no_ransom.sh


Recommended Posts

On 8/26/2020 at 4:33 PM, binhex said:

hmm that should work, i will do some further testing, as a possible workaround you could remove the exclude and instead use the include to only lock file types you want to have locked e.g. for ebooks *.epub, *.mobi etc.

Any further thoughts? I can't really do as suggest as the list to include would be quite long and may miss some :(

 

Here is the debug text. I can see no reason why it is not working as intended.

Quote

root@Tower:~# /mnt/user/appdata/no_ransom/no_ransom.sh --lock-files 'yes' --media-shares 'Test' --include-extensions '*.*' --exclude-extensions '*.jpg,*.opf,*.db,*.json' --debug 'yes'
[info] Running no_ransom.sh script...
[info] Checking we have all required parameters before running...
[info] Finding share that match 'Test' on disk '/mnt/disk1'...
[debug] find /mnt/disk1 -maxdepth 1 -type d -name Test
[info] Share found, processing media share '/mnt/disk1/Test' using 'chattr' recursively...
[debug] find /mnt/disk1/Test -type f  \( -name "*.*" \)  \( -not -name "*.jpg" -o -not -name "*.opf" -o -not -name "*.db" -o -not -name "*.json" \) -exec chattr +i {} \;
[info] Processing finished for disk '/mnt/disk1'
[info]
[info] Finding share that match 'Test' on disk '/mnt/disk2'...
[debug] find /mnt/disk2 -maxdepth 1 -type d -name Test
[debug] No matching media share for disk '/mnt/disk2'
[info] Processing finished for disk '/mnt/disk2'
[info]
[info] Finding share that match 'Test' on disk '/mnt/disk3'...
[debug] find /mnt/disk3 -maxdepth 1 -type d -name Test
[info] Share found, processing media share '/mnt/disk3/Test' using 'chattr' recursively...
[debug] find /mnt/disk3/Test -type f  \( -name "*.*" \)  \( -not -name "*.jpg" -o -not -name "*.opf" -o -not -name "*.db" -o -not -name "*.json" \) -exec chattr +i {} \;
[info] Processing finished for disk '/mnt/disk3'
[info]
[info] Finding share that match 'Test' on disk '/mnt/disk4'...
[debug] find /mnt/disk4 -maxdepth 1 -type d -name Test
[debug] No matching media share for disk '/mnt/disk4'
[info] Processing finished for disk '/mnt/disk4'
[info]
[info] Finding share that match 'Test' on disk '/mnt/disk5'...
[debug] find /mnt/disk5 -maxdepth 1 -type d -name Test
[debug] No matching media share for disk '/mnt/disk5'
[info] Processing finished for disk '/mnt/disk5'
[info]
[info] Finding share that match 'Test' on disk '/mnt/disk6'...
[debug] find /mnt/disk6 -maxdepth 1 -type d -name Test
[debug] No matching media share for disk '/mnt/disk6'
[info] Processing finished for disk '/mnt/disk6'
[info]
[info] Finding share that match 'Test' on disk '/mnt/disks'...
[debug] find /mnt/disks -maxdepth 1 -type d -name Test
[debug] No matching media share for disk '/mnt/disks'
[info] Processing finished for disk '/mnt/disks'
[info]
[info] no_ransom.sh script finished

 

Screenshot from 2020-08-30 16-31-17.png

Edited by stridemat
Link to comment
4 hours ago, binhex said:

yep it was a bug in the find syntax, i have now tested and fixed it, please pull down the latest script, see OP for details, FYI the fixed version is 1.0.1.

Looks like that has done the job. Now to double check I don’t need any further file extensions excluded and will run on my media folder. Thanks!

  • Like 1
Link to comment
On 6/25/2020 at 10:43 AM, jonathanm said:

I would think that if you are using UD devices for offsite physical backups, you would want to apply the immutable attribute to keep your backup media extra safe when you are accessing it for recovery purposes.

until you have updated files you're trying to backup.

Link to comment
  • 4 months later...

Truly appreciate this script. I never had problems with ransomware but heard enough stories to fear them.

Mistakes were made when I setted up my shares and I used spaces in some of them, when I try to run the scripts this is the output:
 

root@Fone:~# /mnt/user/appdata/no_ransom/no_ransom.sh --lock-files 'yes' --media-shares 'short films' --debug 'yes'
[info] Running no_ransom.sh script...
[info] Checking we have all required parameters before running...
[info] Finding share that match 'short films' on disk '/mnt/disk1'...
[debug] find /mnt/disk1 -maxdepth 1 -type d -name short films
[info] Share found, processing media share '/mnt/disk1/short films' using 'chattr' recursively...
[debug] find /mnt/disk1/short films -type f  \( -name "*.*" \)   -exec chattr +i {} \;
find: ‘/mnt/disk1/short’: No such file or directory
find: ‘films’: No such file or directory
[info] Processing finished for disk '/mnt/disk1'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk2'...
[debug] find /mnt/disk2 -maxdepth 1 -type d -name short films
[debug] No matching media share for disk '/mnt/disk2'
[info] Processing finished for disk '/mnt/disk2'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk3'...
[debug] find /mnt/disk3 -maxdepth 1 -type d -name short films
[info] Share found, processing media share '/mnt/disk3/short films' using 'chattr' recursively...
[debug] find /mnt/disk3/short films -type f  \( -name "*.*" \)   -exec chattr +i {} \;
find: ‘/mnt/disk3/short’: No such file or directory
find: ‘films’: No such file or directory
[info] Processing finished for disk '/mnt/disk3'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk4'...
[debug] find /mnt/disk4 -maxdepth 1 -type d -name short films
[info] Share found, processing media share '/mnt/disk4/short films' using 'chattr' recursively...
[debug] find /mnt/disk4/short films -type f  \( -name "*.*" \)   -exec chattr +i {} \;
find: ‘/mnt/disk4/short’: No such file or directory
find: ‘films’: No such file or directory
[info] Processing finished for disk '/mnt/disk4'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk5'...
[debug] find /mnt/disk5 -maxdepth 1 -type d -name short films
[debug] No matching media share for disk '/mnt/disk5'
[info] Processing finished for disk '/mnt/disk5'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk6'...
[debug] find /mnt/disk6 -maxdepth 1 -type d -name short films
[info] Share found, processing media share '/mnt/disk6/short films' using 'chattr' recursively...
[debug] find /mnt/disk6/short films -type f  \( -name "*.*" \)   -exec chattr +i {} \;
find: ‘/mnt/disk6/short’: No such file or directory
find: ‘films’: No such file or directory
[info] Processing finished for disk '/mnt/disk6'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk7'...
[debug] find /mnt/disk7 -maxdepth 1 -type d -name short films
[info] Share found, processing media share '/mnt/disk7/short films' using 'chattr' recursively...
[debug] find /mnt/disk7/short films -type f  \( -name "*.*" \)   -exec chattr +i {} \;
find: ‘/mnt/disk7/short’: No such file or directory
find: ‘films’: No such file or directory
[info] Processing finished for disk '/mnt/disk7'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disk8'...
[debug] find /mnt/disk8 -maxdepth 1 -type d -name short films
[info] Share found, processing media share '/mnt/disk8/short films' using 'chattr' recursively...
[debug] find /mnt/disk8/short films -type f  \( -name "*.*" \)   -exec chattr +i {} \;
find: ‘/mnt/disk8/short’: No such file or directory
find: ‘films’: No such file or directory
[info] Processing finished for disk '/mnt/disk8'
[info]
[info] Finding share that match 'short films' on disk '/mnt/disks'...
[debug] find /mnt/disks -maxdepth 1 -type d -name short films
[debug] No matching media share for disk '/mnt/disks'
[info] Processing finished for disk '/mnt/disks'
[info]
[info] no_ransom.sh script finished


After running it I have verified running "lsattr /mnt/user/short\ films/" that the files are still unprotected. Can I run the script somehow without changing my share names?

Link to comment

After checking the script seems like adding single quotes on the line 164 solves my issue reported above

From:

eval "find ${media_shares_match} -type f ${include_folders_cmd} ${include_extensions_cmd} ${exclude_folders_cmd} ${exclude_extensions_cmd} -exec ${chattr_cmd} {} \;"

 

To:

eval "find '${media_shares_match}' -type f ${include_folders_cmd} ${include_extensions_cmd} ${exclude_folders_cmd} ${exclude_extensions_cmd} -exec ${chattr_cmd} {} \;"

 

@binhex can create a pull request if you prefer

Link to comment
15 minutes ago, s0b said:

After checking the script seems like adding single quotes on the line 164 solves my issue reported above

From:


eval "find ${media_shares_match} -type f ${include_folders_cmd} ${include_extensions_cmd} ${exclude_folders_cmd} ${exclude_extensions_cmd} -exec ${chattr_cmd} {} \;"

 

To:


eval "find '${media_shares_match}' -type f ${include_folders_cmd} ${include_extensions_cmd} ${exclude_folders_cmd} ${exclude_extensions_cmd} -exec ${chattr_cmd} {} \;"

 

@binhex can create a pull request if you prefer

excellent!, yep agreed that looks like the fix, no need for PR i can do the change now, i will let you know once its in.

Link to comment
  • 1 month later...

Has someone created a custom rm binary so you can remove some certain file? I sometimes upgrade my plex media files and I don't want to have duplicates there. So, I don't want to be looking for what drive that certain file is on and "chattr -i" plus "rm". Sure I'm not the only one looking for this script :P

  • Like 1
Link to comment
  • 1 month later...
On 3/6/2021 at 5:36 PM, Zotarios said:

Has someone created a custom rm binary so you can remove some certain file? I sometimes upgrade my plex media files and I don't want to have duplicates there. So, I don't want to be looking for what drive that certain file is on and "chattr -i" plus "rm". Sure I'm not the only one looking for this script :P

 

I really need this. Im tempted to do it myself even if I never did an Unraid plugin, will give it a go.

Link to comment
On 3/6/2021 at 8:36 AM, Zotarios said:

Has someone created a custom rm binary so you can remove some certain file? I sometimes upgrade my plex media files and I don't want to have duplicates there. So, I don't want to be looking for what drive that certain file is on and "chattr -i" plus "rm". Sure I'm not the only one looking for this script :P

 

 

I created some User.Scripts that call for different things so I can pin point some without locking/unlocking everything all the time so I can avoid dupes too. 

Sure you could run Chattr directly on the file and then just delete it, but honestly I get lazy and often forget code so I just make up some scripts and let them do the work. 

 

Security.Lock.Media locks

TV share and Movies share

 

Security.Unlock.Media unlocks

TV share and Movies share

 

Security.Unlock.TV unlocks

TV share

 

Security.Unlock.Movies unlocks

Movies share

 

on and on

  • Like 1
Link to comment
1 hour ago, kizer said:

 

 

I created some User.Scripts that call for different things so I can pin point some without locking/unlocking everything all the time so I can avoid dupes too. 

Sure you could run Chattr directly on the file and then just delete it, but honestly I get lazy and often forget code so I just make up some scripts and let them do the work. 

 

Security.Lock.Media locks

TV share and Movies share

 

Security.Unlock.Media unlocks

TV share and Movies share

 

Security.Unlock.TV unlocks

TV share

 

Security.Unlock.Movies unlocks

Movies share

 

on and on

I was thinking something like a CLI command like: "rm-force" to do the job. It would be easy to implement, just find which disk contains the file remove chattr and remove.

I'm too lazy so I just do a "no_ransomware include folder" atm

Link to comment
  • 4 weeks later...

OK guys, its been a while since i touched this script, mainly because it just works :-), small enhancement to the script, i have now added in the ability to 'lock' and 'unlock' chattr, in reality this simply changes permissions and renames the chattr binary to make it just that bit harder for any potential ransomware script to try and execute chattr to unlock media. It's switched on by default and will auto unlock on execution of the script and lock at the end, if you don't want this new functionality then you can switch this off by specifying the flag --secure-chattr 'no'.

 

link to the script in first post of this thread.

  • Like 1
  • Thanks 3
Link to comment

Nice!!!!!! I was kinda wondering if there was a better way of insuring somebody couldn't just run chattr and remove the protection. Thank you for having the insight and willingness to do this. 

 

Just ran it across my media and seemed to work just fine. Was cool seeing the chattr binary in the logs being locked and unlocked too. 

  • Like 1
Link to comment
Nice!!!!!! I was kinda wondering if there was a better way of insuring somebody couldn't just run chattr and remove the protection. Thank you for having the insight and willingness to do this. 
 
Just ran it across my media and seemed to work just fine. Was cool seeing the chattr binary in the logs being locked and unlocked too. 
Glad it's working, it's odd the ideas thst spring to mind whilst having a shower

Sent from my CLT-L09 using Tapatalk

  • Haha 1
Link to comment
On 5/13/2021 at 2:34 PM, binhex said:

OK guys, its been a while since i touched this script, mainly because it just works :-), small enhancement to the script, i have now added in the ability to 'lock' and 'unlock' chattr, in reality this simply changes permissions and renames the chattr binary to make it just that bit harder for any potential ransomware script to try and execute chattr to unlock media. It's switched on by default and will auto unlock on execution of the script and lock at the end, if you don't want this new functionality then you can switch this off by specifying the flag --secure-chattr 'no'.

 

link to the script in first post of this thread.

Thanks. Seems to have worked great.

Link to comment
  • 2 weeks later...
3 hours ago, Opawesome said:

Why not share with everyone ? ;-)

 

I didn't want to clog up his Support Thread, but anyways this is what I suggested. 

 

************************************************************************

 

One idea I just had. Currently your renaming chattr and changing its permission. Absolutely brilliant, however maybe include a variable so the user could change the rename so everybody has a totally different binary and really screw up bots/script kiddies?

 

Say default is "rchatt" and everybody that uses it will have that as their default. Anybody who knows unraid and knows how to beat it will just bake that into their code and target unraid looking to rename rchatt to chattr or will simply run Chmod +x on rchatt.

 

So I'm proposing something like the following

 

#Edit below to set your Binary name default is rchatt

Set your Binary name ="rchatt"

 

It might be one more added thing that might be borderline paranoid, but really getting obscure should really confuse somebody.

  • Like 1
  • Thanks 1
Link to comment
4 hours ago, kizer said:

@Opawesome

 

Actually looks like there already is. lol

 

readonly defaultSecureChattrRename="rttahc"

 

Looks like he's updated the script from v1.0.2 to v1.0.3 and included it. Yahoo

 

Thanks for the add binhex. ;)

 

yes i did half add it :-), so its more obvious how its set now but i haven't provided command line options for it yet, the reason being i got a little nervous about the following scenario:-

  • script runs and renames chattr to default rename file
  • user provides new name via the command parameter
  • script blows up, reason - because the script no longer knows the previous name of the executable so cannot find and rename it.

there is of course a reasonably simple solution to this as the rename is only temporary (ram), if the user reboots they will be back to a working system and next time the script runs it will know the name of the executable (as it hasnt been changed) and it can then use the user provided name and off it goes.

 

so either i need to keep a history of names used (tricky), or instruct the user to reboot if the executable cannot be found (easier but not ideal).

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.