Begin Venting!"!
Urgfh!!
Spent the last 3 hours cleaning my servers form Malware!!
Some how my Ubuntu Plex Media server got infected with a stupid ransomware “MARS-Encrypt”
Caught it mid flow in my “Music” and “Movies” folder, so managed to kill the process but it’s using Pub-key encryption rather than onetime so decrypting those files are a lost cause. But luckily 90% of the files I can easily recover form Backups, it’s the last 10% that’s going to a pain!!
Think it was probably my fault as some of the Media folder permissions are messed up to allow everyone read/write (This was due to an annoying android media player I used to have, It needed full read-write and I never changed it when it died last year!) Yup I’m a total Idiot!
Any-hoo spent the last few hours making sure all my other servers (including my Storj Nodes!!!) were virus free with a good scan with ClamAV. Then resetting my Routers back to defaults and going through the setup procedures again. I think I’ll be spending all Sunday going over my Network Security settings with a fine tooth comb and doing a full audit and changing a LOT of passwords
There goes my relaxing weekend!
tl;dr :
People remember to check your network security and do a virus malware scan every so often.
Think I got it form an infected website, (I was checking out sites to get a bag or 2 of bespoke coffee beans roasted for my my Birthday at the end of the month!).
I checked my history and I visited a few WordPress sites around the time the encrypt malware started. I’ve reported it to the webmasters of the suspected sites in the vain hope something gets done!
That sucks even more…I guess now a days you need to use a sandbox just to surf the web…But why would you be surfing the web on your plex server or is that a shared machine that you use for everything?
it’s a sshfs mounted share.
My local machine does not have a lot of room, so I’ve mounted a share from my Media server for general storage at the moment. The Plex Media Folders are in the same location so that’s why they got hit.
Runnig Firefox.
By the looks of it it was an infected WordPres site. It started running as soon as the site was loaded and it was kept in memory once the browser closed.
Was removed by simply rebooting the machine. But the damage was done by the time I noticed it.
Yep this seems like pretty big security bug. Report it.
I would’ve had the same happen to me, I wouldn’t expect it possible so easily. I do use Chrome though.
Agreed, it looks very suspicious to be able to get inffected just by browsing a website.
@S0litiare would you be able to reproduce the infection within a VM? It feels to me like it’d be worth trying to narrow down the issue and reproduce it before reporting it to the Mozilla team if it is confirmed.
That’s not exactly a real worry. As far as I know those vulnerabilities have never been actually used in an attack. Nor are they easy to exploit. These things go for low hanging fruit. They will definitely not attempt a VM escape.
But if it did indeed happen the way you described, make sure your browser is up to date. That should never be allowed to happen.
I was kidding about silicon bugs, but they’re still there…
Definitely go for low hanging fruit before anything else. Browser VM/container/sandbox escape is definitely vastly more widespread and critical thing. If they even use such protection.