Importance of Snapshots and hard drive image backups (TROJAN nailed my network!)

[asw2012]

2 days ago my 9 yr. old son unknowingly clicked on a popup from either one of those .io games or through Roblox somehow. I don't know exactly where it came from, but he clicked it and WHAM... all files on my computer, networked computers and my shared FreeNAS folders got locked/encrypted (*.locked extension) with the txt file that I took a snapshot of (attached). Luckily I almost immediately noticed because the movie I was watching on EMBY stopped playing - because those files got nailed too! Did some digging, found the files (*.locked) and that txt file at that time.

Immideately unplugged my cable modem and router so that virus / trojan can't spread any further, then unplugged all RJ45 router connections - but damage was already done. Well also, unfortunately, part of the shared folders on my FreeNAS box were the Acronis backups that I do 1x a week on all of my computers. Those were all inaccessible, (*.locked).

So, turned my router on, used an old laptop that was not plugged in at the time, got access to my FreeNAS GUI, reverted to the snapshots I took 3 days earlier. I take 2x snapshots per week on everything :) - all files on my FreeNAS box are OK now - including the important Acronis backups :)

Transferred my Acronis backups to my 2TB portable. Booted up each computer with the Acronis, restored all hard drives and about 6 hours later, up and running like nothing ever happened, with the exception of the 3 days of lost info (not a big deal).

Even if those steps did not work, I use Backblaze for offsite backups. It would have taken much more time, but I still would have saved all of my computers and FreeNAS storage.

All the while I was doing this, I showed my 9yr old son all of the steps I took above and made sure he understood (for the most part). He now knows not to click on funny stuff anymore - AND he knows the consequences!

 

[Tigersharke]

I wish I could suggest something that might have further reduced the chances of getting stung. Possibly a firewall block on certain address suffixes, certain IP or IP ranges should those locations resolve to known trouble addresses. I know that OPNsense had some options, which I now just checked, perhaps clamav? I have been the primary and almost exclusive user of my LAN and I do not use Windows, so probable threats like yours would not test anything I might setup, so I cannot say much of anything about clamav. Maybe an IP whitelist might be most effective, though even that could be skirted via google searches I think.

Regardless of possible other preventive measures, its great to hear that backups via FreeNAS saved your bacon and pork loin.

 

[asw2012]

I have actually been fooling around with pfSense lately on a test box I threw together about 1 month ago. Going to implement this sooner rather than later.

 

[CompuGlobalHyperMegaNet]

It's this kind of story that lessens the pain of having just plumped for a new server + disks.

I have actually been fooling around with pfSense lately on a test box I threw together about 1 month ago. Going to implement this sooner rather than later.

Be sure to checkout pfBlockerNG-devel, it's blocked so much stuff since I've been using it and it's only caused a small handful of issues that took at most, five mintues to to fix from login, to log out. I also really like Snort but it takes a little bit more fine tuning of whitelists / supress lists.

 

[HolyK]

@asw2012 Nice one :] Did you sent them a big "F*CK YOU, I've restored all my data anyway :D"

"There are two kinds of people: those who backup snapshot and those who have never lost all their data"

On topic ... I have similar setup.
- On PC side i have weekly full backups in the middle of the night (auto-wakeup from hibernation) plus daily incremental backups at the evening (quick and basically unnoticeable backups) but only if the PC is running (=changes were made). If the backup is missed it auto-starts upon next boot.
- On FreeNAS side i have daily/weekly snapshots with appropriate retention period. So basically i can "lose" up to one day if some cryptocrap wrecks my workstation right before the daily backup - nothing dramatic.
- And on network level i have pfSense with active pfBlockerNG and most of the anti-crypto lists active.
- Oh and i have ESET Smart Security which has quite suitable protection as well ... but that is more like a cherry on the top in this case :]

 

[Constantin]

With all the stuff I've done here, I have yet to implement snapshots though, sounds like a really good idea.

 

[CompuGlobalHyperMegaNet]

- Oh and i have ESET Smart Security which has quite suitable protection as well ... but that is more like a cherry on the top in this case :]

"No antivirus is as good as common sense. Just don't do anything shady and you don't have to worry"
- some internet moron

Are there any block lists you'd recommend?

With all the stuff I've done here, I have yet to implement snapshots though, sounds like a really good idea.

Oh, so that's what the "Eek" emoji is for!

 

[Constantin]

Couple of things came out of today that I will ask later about.

For one, I discovered my honeypot had cratered. The Raspberry Pi 3B it ran on now features a failed eth0, so off it goes to the dumpster. Honeypi is now allegedly Buster compatible, so I redid the whole thing from the ground up (i.e. starting with a blank flash card) and found it won't work due to some iptables issue (grr). Will have to bother author, I guess or switch to a different honeypot package.

Also discovered that I managed to bork my FreeNAS from being able to report issues via email. Turns out that the edgerouter firewall needs to have more than port 587 open in order for the FreeNAS to send email (error 65, no route to host even though the FreeNAS can resolve the gmail smtp servers just fine from the shell, weird!). But that's for another thread.

Anyhow, will learn about snapshots this weekend. I should have more than enough space here for them.

 

[Basil Hendroff]

... all files on my computer, networked computers and my shared FreeNAS folders got locked/encrypted (*.locked extension) with the txt file that I took a snapshot of (attached).

Isolated to SMB shares?

 

[HolyK]

Are there any block lists you'd recommend?

I have these from pfBlockerNG/feeds list:

Code:

- PRI1 (all except Pulsedive)
- PRI2 (Note that the Alienvault is a bit aggressive, see bellow)
- Abuse_PS
- EasyList (EasyPrivacy, EasyList_Adware, EasyList_Czech_Slovak)
- ADs (all)
- Malicious (all)
- hpHosts (Sadly they're dead so i will keep last lists locally till i start facing false-positives)
- Malicious2 (only "Steven Black" feed)
- Cryptojackers (all)

I faced few false positives so i had to whitelist following in DNSBL Whitelist

Code:

.googlesyndication.com
.amzn.to
.trellocdn.com
.sevenforums.com
.imgur.com
.ea.com

 

[ornias]

Personally I think it's now quite important to evaluate how in hells name that trojan was able to get this much access.

1. Do you have a seperate kids vlan? If not, it isn't a bad idea
2. Is the management vlan seperated from the share vlan? If not, why not?
3. Why are your movies RW shared? Maybe setup a dropbox that moves/processes movies after being dropped
4. I would suggest daily snapshots that get deleted after 2 weeks, weekly snapshots that get deleted after a few months and monthly snapshot that get deleted after a year.
5. are your shares password protected, if not: why not?

 

[NAS___]

On your browser I recommend uBlockOrigin plugin.
For address filtering, you have this list for SquidGuard or other: https://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz
You can also use quad9 DNS address which has bad site filtering.

 

[ornias]

On your browser I recommend uBlockOrigin plugin.
For address filtering, you have this list for SquidGuard or other: https://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz
You can also use quad9 DNS address which has bad site filtering.

Preferably you would use something that can't be turned off from the host system (certainly with kids).
A pihole + quad9 + (optional) an IP filter does wonders.
Please make sure people can't bypass the pihole though, block usual big DNS servers and the port for DNS.

If you can: adding IDS-IPS would also be nice (I know OPNSense has a nice deal for the pro version).

But: this isn't really important in this case.
Let me explain:
This case shows that a locally infected PC, is able to easily spread throughout his whole network. Even with above preventions, this could still happen. OP needs to look at preventing spread locally first and look at some hardening second...
(and also throw in some education in the mix for the kiddo)

 

[NAS___]

In pfsense, (or other firewall), you can add a rule to force all DNS traffic being redirected and served by your own DNS server.
You're right, an infection can spread very fast. Better have snapshot and backups!

 

[ornias]

In pfsense, (or other firewall), you can add a rule to force all DNS traffic being redirected and served by your own DNS server.

You can forward or block DNS. However, you also want to prevent DNS over HTTPS and such so better just block the usual suspect-IP's completely while you're at it.

You're right, an infection can spread very fast. Better have snapshot and backups!

Are you actually reading what I write till now? A snapshot or backup is NOT a replacement for decent security practices. This should NOT have spread to a movie share, thats totally not needed.

 

[Samuel Tai]

This discussion is veering off track. How to architect a home network to prevent exploitation is a different topic than the OP's, which is how snapshots enabled him to recover from an exploit. As a moderator, I'll close this thread for further replies.