[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

13 minutes ago, kjoconis said:

Hey Squid,

 

Bait files enabled, Bait files running, shows 117160 files being monitored.

 

 

config/plugins/ransomware.bait/filelist has the list of every file monitored.  If its listed as being monitored (and you say its show 117,000), then it should be in the appropriate folders.

 

You'd have to confirm via the command prompt though. eg:

ls /mnt/user/Movies
Edited by Squid
Link to comment
  • 1 month later...

So, I never had something trigger Squidbait until tonight.

 

Got sick of waiting for SMB network access to come around when connecting from my Mac, so I enabled AFP for the specific share I wanted to access.

 

After briefly listing the share contents in Finder, Squidbait kicked off and shut down access:

 

Ransomware Protection: 08-09-2017 21:57
Possible Ransomware Attack Detected
Possible Attack On /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.docx

 

While I am not entirely ruling out that some mischief is going on, I find it more likely that MacOS and it's incessant need to disperse dot-files allover is at work.

 

Anyone have insights? 

 

Cheers,

 

T.

 

Edit: Just reset the permissions and tried accessing via AFP - triggered again. No issue when accessing over SMB apart from the horribly slow speed when listing large network shares.

Edited by t33j4y
Link to comment

The .DS_Store files should be created on any type of volume or share (SMB or AFP, etc) so I don't think that's it. I wonder if it's getting some file system extended attribute added, though this should not change the actual hash of the file itself. Could you ssh in and inspect a bait file before mounting it on your Mac? Try running xattr /path/to/file and see what it returns and then run it again after mounting the share on your Mac.

Link to comment

Can you do this.  Fix the RW permissions (ie: disable AFP), then from a console

inotifywait --fromfile /boot/config/plugins/ransomware.bait/filelist -e move,delete,delete_self,move_self,close_write

 

Now re-enable AFP which you're saying gives the false trips.  The command should exit.  Post the output.

Link to comment

Disabled AFP on "offending" share.

SSh'ed in and ran the command you listed.

Re-enabled AFP

Accessed share (which triggered RP)

 

Output:

root@Tower:~# inotifywait --fromfile /boot/config/plugins/ransomware.bait/file>
Setting up watches.
Watches established.
/mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.docx CLOSE_WRITE,CLOSE 
root@Tower:~# 
<st -e move,delete,delete_self,move_self,close_write      
Setting up watches.
Watches established.
/mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.pdf CLOSE_WRITE,CLOSE 
root@Tower:~# 

 

 

Edited by t33j4y
Link to comment

Output before tripping:

 

root@Tower:~# md5sum /mnt/user/TV\ Shows/SquidBa*
762e371d252f2575c7fe47af3d3d05f2  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.docx
1812b82cd617c7cc6acab62809a1d531  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.jpg
c5ec9350bdf66275683fc8a58b8aae85  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.pdf
a01288d5973fc030b51db2f5a0cb9f03  /mnt/user/TV Shows/SquidBanking-DO_NOT_DELETE.xlsx

 

Output after tripping:

 

root@Tower:~# md5sum /mnt/user/TV\ Shows/SquidBa*
762e371d252f2575c7fe47af3d3d05f2  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.docx
1812b82cd617c7cc6acab62809a1d531  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.jpg
c5ec9350bdf66275683fc8a58b8aae85  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.pdf
a01288d5973fc030b51db2f5a0cb9f03  /mnt/user/TV Shows/SquidBanking-DO_NOT_DELETE.xlsx

 

Link to comment
Just now, t33j4y said:

Output before tripping:

 


root@Tower:~# md5sum /mnt/user/TV\ Shows/SquidBa*
762e371d252f2575c7fe47af3d3d05f2  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.docx
1812b82cd617c7cc6acab62809a1d531  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.jpg
c5ec9350bdf66275683fc8a58b8aae85  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.pdf
a01288d5973fc030b51db2f5a0cb9f03  /mnt/user/TV Shows/SquidBanking-DO_NOT_DELETE.xlsx

 

Output after tripping:

 


root@Tower:~# md5sum /mnt/user/TV\ Shows/SquidBa*
762e371d252f2575c7fe47af3d3d05f2  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.docx
1812b82cd617c7cc6acab62809a1d531  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.jpg
c5ec9350bdf66275683fc8a58b8aae85  /mnt/user/TV Shows/SquidBait-DO_NOT_DELETE.pdf
a01288d5973fc030b51db2f5a0cb9f03  /mnt/user/TV Shows/SquidBanking-DO_NOT_DELETE.xlsx

 

Not what I was hoping for....  md5's match before trip and after trip.  Assuming that you enabled AFP on TV Shows, I'll have to get back to you in a couple of days when I can figure out why the code is failing on a close_write when the md5 matches...  >:(

Link to comment

Not quite sure.  It all works for me.  I can emulate your problem by simply loading one of the xlsx files into excel and then closing it without making any changes.

Sep 17 09:03:57 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBait-DO_NOT_DELETE.docx, but MD5 matches.  Checking again in 1 second
Sep 17 09:03:58 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBait-DO_NOT_DELETE.docx, but MD5 matches.  Remonitoring
Sep 17 09:03:58 Server_A root[21619]: Setting up watches.
Sep 17 09:03:58 Server_A root[21619]: Watches established.
Sep 17 09:04:08 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBanking-DO_NOT_DELETE.xlsx, but MD5 matches.  Checking again in 1 second
Sep 17 09:04:09 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBanking-DO_NOT_DELETE.xlsx, but MD5 matches.  Remonitoring
Sep 17 09:04:09 Server_A root[21740]: Setting up watches.
Sep 17 09:04:09 Server_A root[21740]: Watches established.

It saw that a CLOSE_REWRITE happened, the md5's matched, checked again it still matched, so ignored the event and started the monitoring back up again, then excel triggered it immediately again, and the same thing happened and then the file activity stayed stable, and the "attack" was ignored.

Edited by Squid
Link to comment
  • 2 weeks later...
On 1/1/2017 at 8:07 AM, Squid said:

- Added ability to hide the bait files.  Pretty much requires you to stop the service, delete the bait files, then recreate.

- Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden.

 

Hide "dot" files has to be enabled in Settings - SMB settings for this to work.

When I first enabled your plugin, I did not realize I had that SMB setting disabled. I'm only running bait files at the root of all my shares. After disabling the plugin and deleting bait files, I stopped the array, turn on hide dot files in SMB settings and re-enabled the plugin. Those bait files are still visible and show hidden files in Windows explorer is not checked. When You say, " Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden." does that mean all shares or just the bait share created by the plugin? Thanks much!

Link to comment
9 minutes ago, geonerdist said:

When I first enabled your plugin, I did not realize I had that SMB setting disabled. I'm only running bait files at the root of all my shares. After disabling the plugin and deleting bait files, I stopped the array, turn on hide dot files in SMB settings and re-enabled the plugin. Those bait files are still visible and show hidden files in Windows explorer is not checked. When You say, " Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden." does that mean all shares or just the bait share created by the plugin? Thanks much!

I don't recall the exact technical problem, but it is only the baitshares IIRC

Link to comment
4 minutes ago, Squid said:

I don't recall the exact technical problem, but it is only the baitshares IIRC

Hmm, any ideas why I still see the bait files when browsing my shares then? I did forget to say that I did select to hide the bait files when I setup the plugin too. I'm also on the current version of unRAID and the plugin. 

image.png.2baeb867ddc990505acc7ea1033b934f.png

Edited by geonerdist
Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.