Ransomware attack: 0XXX virus

Zitat von DingoFur

Important settings:

• The infected folder in question had SMB/CFIS enabled.
• The server can be accessed remotely if you have the IP or domain name.
• SSH is active.
• All default passwords have been replaced with strong and secure passwords.

How did you secure this? Were you just forwarding ports in your router and not getting security certs?

Also, what version of OMV? Personally if it were me, I'd backup what is known good, completely format that box including data drives, and start over. The fact you mentioned SMB was enabled, make sme wonder if a client wasn't compromised, rather than the server.

Zitat von DingoFur

As you say, there is a port redirection to my NAS server to be able to access it from the outside.

For example: My NAS server does not have the SSL certificate configured.

It doesn't have the "s" in http when you try to log in from port 80.

If you try to connect via SFTP you will need a username and password, ditto if you try to connect via SSH. The root password is quite strong and secure.

Alles anzeigen

Well, that's a very big issue there. You were basically typing your passwords and usernames in unencrypted. No offense, but in this scenario you were begging to get hit

My suggestion would be learning how to setup services and putting those services through a reverse proxy either through a free domain (duckdns) or a domain you purchase.

Edit: And it case I was not abundantly clear... close those ports

Zitat von DingoFur

I appreciate you being honest.

Now I can see my security flaw more clearly, basically I was exposed to being sniffed on open ports and at the moment I entered the password it would be easily leaked.

Which surprises me that they haven't attacked the server itself. My configurations and other aspects of the server such as the Portainer/Docker service were not touched at all.

Anyways...

I need to learn a few things and work on improving the security of my NAS server.

In the worst case, closing ports is always safest but losing external access.

I'll leave the thread open in case anyone wants to add anything else.

Alles anzeigen

Remote access can done securely, it just has to be done properly. As a general rule, giving access to absolutely everything the way you did is probably not a good idea. Learn to set up services..

For example, if you want to stream movies, Learn to set up Plex/Emby/Jellyfin

If you want a self hosted cloud service, same process with Nextcloud.

If you want a self hosted Music server, same thing for airsonic, navidrome, etc.

Then once you've set those services up locally, learn to reverse proxy them through either a free domain (duckdns.org) or a domain you purchase. Domain's can be had for very cheap (10-12 bucks a year as long as you're not adding a bunch of extras... which if you do things correctly, you don't need them). This of course assumes you have a static IP, but even that is relatively easy to overcome.

Also you never mentioned... what version of OMV?

Zitat von DingoFur

It's just below the title of this post. OMV5.x
I will take into account what you have told me and I will get down to work soon.

My bad I missed it.... I'm bad about that not checking thread tags..

Zitat von DingoFur

The infected folder in question had SMB/CFIS enabled.
None of my PCs that could connect to the server were infected.
Only the shared folder on the NAS was infected, the rest of the OS is fine.

I would almost guarantee that point #2 is not correct because of #1 and #3. If the ransomware was running on Linux/OMV, it would not have just selected a single cifs enabled directory. But I have seen ransomware running on Windows that encrypted everything on a cifs share because it had access. Lots of ransomware will sniff out cifs shares on the network and try to encrypt them.

Zitat von DingoFur

In fact, I think that the most likely way of contagion was from windows to the NAS. But my PCs don't have encrypted files on other sites. I purposely did scans with windows defender after realizing what happened.

My strongest theory of what happened is that maybe in the files that I transferred to the NAS there was some ransomware, now, how did it run? I really do not know. But it is the only infected folder on my systems, the shared folder on the NAS.

And to bring you up to date a bit, I decided that when I have free time I'm going to study everything Coca Cola's linux told me to improve the security on my NAS. I will also scan the files before transferring them to the NAS.

Oh, and more to the point rather than how lovely my night has been..

Did you have guest access read/write on your smb shares, or did you require a username/password to access the shares?

Zitat von DingoFur

You just asked a very interesting question. I started to look at the configuration of my modem, and indeed port 445 was open.

A scan with nmap might have detected it.

Is there a chance that I have been implanted with a ransomware virus from the internet directly on my share without going through SFTP?

Man... did you follow a "tutorial" or something, or were you just blazing through doing this on your own?

You need to go through your router, and close delete any port forwarding/triggering option you added and forwarded to your server. I don't think I've ever heard someone say they forwarded port 445.

Assuming you had Wifi, did it have a password or did you have it open to?

Zitat von Zoki

You opened a public smb share (no password) to the internet on a standard port.

Did you expect no one following your invitation?

Next step is to check all other computers in your network, maybe even reinstall.

If you can not rule out some as not affected, consider all as compromised.

Lot of work to do ...

Alles anzeigen

I tend to agree with this. What you done was so egregious, you should seriously consider factory resetting any device on that network