Oh oh - seems my Gentoo's been ransomwared!! Oh No!

[cboldt]

The router here directs a few ports to the honeypot, and the honeypot has no services running on those ports. Mostly an exercise in curiosity. 21, 22, 23, 110, 1433, 3306, 8086, 10000, and 12345

What are you using to scan your sshd log? Just curious. I've tried fail2ban and sshguard, and ended up composing a homebrew that taps into syslog-ng, which gives a way to direct selected messages to the "homebrew log watcher." End result is similar, an iptables ban is inserted.

[NeddySeagoon]

cboldt,

Nothing. Its key based login, non root users only.
I've thought about fail2ban and port knocking to stop the logspam but I've never got round to setting it up.

To get root, you need to log in with a key, then know the users password to use sudo.
You also need a valid username to get in in the first place, since root won't work.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[eohrnberger]

[NeddySeagoon]

eohrnberger,

I have not had a Windows install at home since early 2002, when I dumped dual boot Windows NT and Red Hat for Gentoo.
I've never used Samba, so can't comment on the possibility it was the attack vector.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[eccerr0r]

I still find it hard to believe adobe-flash was the vector, because at minimal I would also have been affected (but not as root - however regular user or root, encrypted files are encrypted files and they'd make money off of it either way.).

I have pretty much the most lax firewall policy on my main "server" - it's completely open to the outside world. I do block off a few ports like samba, cups, and portmap/rpcbind, and so far so good. I have pretty much everything else open like dns, http, sshd, imaps, sendmail, openvpn, etc. open to the world.

Knock on wood however. Don't know how long this streak will last.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[NeddySeagoon]

eccerr0r,

If flash was the vector, it depends on the website you visit, if you get attacked or not.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[eccerr0r]

Indeed it is quite true that it depends on the site visited, but I can't say that I'm anything abnormal in randomly clicking sites, including sites that may be of questionable content. Granted I do not tend to click on things not in English, that would probably be the only exception, but knowing that these ransomers tend to choose USA citizens and assume English...

I do however heed Firefox warnings and update flash fairly quickly. It may make a difference, I don't know.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[jonathan183]

[eccerr0r]

Well, if you do that, you should be able to easily segregate the vector... but what vectors have you run across and can we learn from that?

Then the other side of the coin, if it's impossible to get infected, then was the effort spent worth the time?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[lost+found]

[cboldt]

Not to sidetrack the thread too much, my "stuck at" ftp wasn't that I couldn't conjure iptables rules, it was along the lines of "if the point is to lock down outgoing packets to stifle interlopers from "calling home," that point is lost when all the unprivileged ports are opened to NEW OUTPUT packets, to service active ftp.

[lost+found]

Only related packets can get out, not new ones...
[0:0] -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate RELATED -m helper --helper ftp -m tcp --dport 1024:65535 -j ACCEPT

[cboldt]

Ahhh, that -m helper --helper ftp is something I haven't seen or used before. It appears to check the contents of the packet or similar (maybe the calling program), and only if THAT relationship meets the criteria, is the packet allowed to pass.

Thank you.

Testing showed that this alone doesn't work. The second outgoing ftp packet, the one to a non-privileged port, is not identified as RELATED, even with your suggested iptables entry. There is more than one fix. I took the easy way out.

[cboldt]

Hahahah, LOL, and ROTFL. Locking down OUTPUT sure does make mincemeat of nmap!

Easy enough to take down the barrier as needed, as well as restore it, but the way I see it, a fairly humorous oversight relating to the ramifications of a firewall OUTPUT wall.

[eccerr0r]

I just read there exists a "ransomware" encrypter that encrypts your files but the private key that was used either never existed or is deleted... so even if you cough up the money, you still can't decrypt...

So anyone who even thinks about coughing up should at least get proof that they can decrypt or have the private key.


I do wonder if the wave of the future is to simply do privilege separation between every process, and make it hard/annoying for users to pass data between processes (as this is the whole point of privilege separation). Or we really need to find and fix the actual security holes, which I'd rather see...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[jonathan183]

I think there will be a combination of approaches, software with zero exploits is probably not achievable - at least not using methods we have at our disposal today. Something like qubes might be the approach taken in future ...

[Tony0945]

Drawing and quartering exploiters might help.

[eohrnberger]

[depontius]

[eccerr0r]

Things like android shows that even with privilege separation, one still can do lots of damage.

It seems like it's fear that we got to this state...

[Ant P.]

[1clue]

It seems that everyone else spanked you about running anything at all as root, and I'm sure you already covered that yourself. AFAIK there's no way out except complete reformat (delete/reinstall partition table too) and reformat. Might want to check for bios malware while you're at it.

Please understand this is NOT an "I told you so," I've been bitten by malware several times over the last 30 years. The old timers who tell you what you should have done have almost certainly been there before. That's why we've thought it through so thoroughly.

I might point out that the only backups which are safe vs ransomware are the ones which are:

1. Physically removed from all running hardware except during the times they're used.
   
2. Frequent enough to minimize the lost data
   
3. Complete enough to replace the data you lost
   

I might also point out that the best backups:

1. Either completely restore the device (software and all) -- complicated. Or completely restore data and custom settings, leaving software to a reinstall
   
2. Are each complete backups not relying on some prior backup
   
3. Offline media are moved to one or more physical sites not attached to the computer's site
   
4. Are NOT solely an rsync'd copy of current production. (meaning that deleted files and modified files both have an audit trail of their prior contents back through previous backups)
   
5. RAID IS NOT A BACKUP! It's an insurance policy to prevent loss of data since the most recent backup in the case of a hardware failure. It does not prevent accidental deletion or software errors.
   

Personally I keep my backups on removable SATA drives (I have a slot-loaded bay which holds a standard SATA drive at each site) without any compression or archiving. The directories I backup are readily searchable and readable on pretty much any linux box. My backup process is scripted but not automated, because I only attach the drive when I make a backup, and then immediately eject it.

[eccerr0r]

[1clue]

[eccerr0r]

However we still don't know for sure what the entry mechanism is. We know running stuff as root because we know that there may be bugs in it. This is not like driving a car in a crusher, this is like driving a car off road because the car should have been fine off road, but history as told that the manufacturer sometimes puts questionable springs and shocks on it. Without scrutinizing the car, we won't know. People who know that it's very likely that off road suspension was not installed but have no way of checking (and neither can the manufacturer), so we just drive the car on paved roads so we never lose suspension and crash because of steering failure. These are the people who don't run as root.

Running code on the native machine from within a VM is completely improper behavior... Running as root should have not been an issue, after all, VMWare needs to be run as root and you'd certainly be up in arms if running a code sequence inside the VM and suddenly your host is infected with encryption ransomware. It's not like the OP gave permission to run code that encrypts his computer. The buggy code allowed something that should have never been allowed.

I am tired of people charging money for crap software that have bugs, never mind the security bugs. It's always time to market, time to market. And people think buggy software is somehow "acceptable". No. This is bad practice and it needs to stop despite the bean counters. Can't say it's 100% their fault, it's one of these things where someone jumped, it wasn't so bad, now everyone else now needs to follow suit or be left behind.

---

Where did those other countries get the MRI machine? They could not have recuperated the cost of the machine at $5 per scan unless there perhaps was a government subsidy somewhere that you don't see. In the US someone made an investment, are only owned by a few for-profit companies, they can charge however much they want. Not an insurance issue, pure greed.

In any case, the USA is clearly a litigious society... unfortunately the underlying reason behind it is because everyone wants to be equal to everyone else. I'll leave it at that.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?