Huge 1Di0T error today

#1

Begin Venting!"!
Urgfh!!
Spent the last 3 hours cleaning my servers form Malware!!
Some how my Ubuntu Plex Media server got infected with a stupid ransomware “MARS-Encrypt”

Caught it mid flow in my “Music” and “Movies” folder, so managed to kill the process but it’s using Pub-key encryption rather than onetime so decrypting those files are a lost cause. But luckily 90% of the files I can easily recover form Backups, it’s the last 10% that’s going to a pain!!

Think it was probably my fault as some of the Media folder permissions are messed up to allow everyone read/write (This was due to an annoying android media player I used to have, It needed full read-write and I never changed it when it died last year!) Yup I’m a total Idiot!

Any-hoo spent the last few hours making sure all my other servers (including my Storj Nodes!!!) were virus free with a good scan with ClamAV. Then resetting my Routers back to defaults and going through the setup procedures again. I think I’ll be spending all Sunday going over my Network Security settings with a fine tooth comb and doing a full audit and changing a LOT of passwords :smiley:

There goes my relaxing weekend!

tl;dr :
People remember to check your network security and do a virus malware scan every so often.

7 Likes
#2

</End Venting> tag missing from the post :nerd_face:

2 Likes
#3

This is why I like to run files that I have no idea what they are in a VM I dont really care about or run in a sandbox…

1 Like
#4

I was not opening any dodgy executable/scripts!! :wink:

Think I got it form an infected website, (I was checking out sites to get a bag or 2 of bespoke coffee beans roasted for my my Birthday at the end of the month!).

I checked my history and I visited a few WordPress sites around the time the encrypt malware started. I’ve reported it to the webmasters of the suspected sites in the vain hope something gets done!

1 Like
#5

I’m giving it till tomorrow before I end the venting!! lol!!

Just in case it comes back!

2 Likes
#6

That sucks even more…I guess now a days you need to use a sandbox just to surf the web…But why would you be surfing the web on your plex server or is that a shared machine that you use for everything?

1 Like
#7

it’s a sshfs mounted share.
My local machine does not have a lot of room, so I’ve mounted a share from my Media server for general storage at the moment. The Plex Media Folders are in the same location so that’s why they got hit.

#8

Ahh I got you, sucks though im a very paranoid person now im even more cause I didnt even know Ubuntu could be affected by this virus…

#9

By the looks of it as it’s running in the browser it can grab a Linux executable script to dump itself into memory.

Then it just tries access every folder it can, and starts encrypting!

#10

You got infected by simply opening a website in a browser on Ubuntu? What browser was it?

#11

Runnig Firefox.
By the looks of it it was an infected WordPres site. It started running as soon as the site was loaded and it was kept in memory once the browser closed.

Was removed by simply rebooting the machine. But the damage was done by the time I noticed it.

1 Like
#12

How could a website (that is some javascript) access anything on the computer file system?
That’s supposed to be impossible.

What’s described here looks like a massive security flaw if it really is what happened :confused:

#13

Yep this seems like pretty big security bug. Report it.
I would’ve had the same happen to me, I wouldn’t expect it possible so easily. I do use Chrome though.

#14

Agreed, it looks very suspicious to be able to get inffected just by browsing a website.

@S0litiare would you be able to reproduce the infection within a VM? It feels to me like it’d be worth trying to narrow down the issue and reproduce it before reporting it to the Mozilla team if it is confirmed.

#15

Inb4 it escapes the browser and then proceeds to escape VM containment due to Spectre/Meltdown and/or further silicon bugs. :joy:

#16

That’s not exactly a real worry. As far as I know those vulnerabilities have never been actually used in an attack. Nor are they easy to exploit. These things go for low hanging fruit. They will definitely not attempt a VM escape.

But if it did indeed happen the way you described, make sure your browser is up to date. That should never be allowed to happen.

#17

I was kidding about silicon bugs, but they’re still there…
Definitely go for low hanging fruit before anything else. Browser VM/container/sandbox escape is definitely vastly more widespread and critical thing. If they even use such protection.