LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-24-2015, 09:35 AM   #1
paalmarker
LQ Newbie
 
Registered: Jan 2007
Posts: 28

Rep: Reputation: 0
samba partition infected with cryptolocker/cryprowall


Samba partition used by 70 users on slackware 13.37. ...and yes, unluckily all users must have rwx access.

Did not help how much protection I had on the windows7 pc's, two hours ago one user opened an attachment and it was done. 150GB to restore from backup that I am happy to say is intact.

The virus went through with no warnings either from updated windows defender or latest version and updated symantec AV. All pc's here had latest updates from microsoft. All files renamed HELP_DECRYPT on the local pc, the common partition on the samba share and the specific users home

I know that a samba share will be treated like a windows partition from windows7 though it is located on a linux filesystem, but are there nothing I can do in samba or the file system to prevent this scenario from happen? A kind of restriction for decryption? Write access for all users to this partition is a must....no way to protect the files then restricted permitions?

and for those who have been dealing with this virus, it will only run from the source file, right? Though someone have tried to open files named HELP_DECRYPT, infection will not go from samba to local pc?
 
Old 03-24-2015, 06:23 PM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Do the users have to have rwx access, or would rwxt be acceptable? rwxt means sticky bit everyone can create files on the share, but only the owner can remove/overwrite/etc. /tmp usually has rwxt access.

It is easy for a virus to make the scrambled files executable, so double-clicking any file affected by the virus would start an infection. I guess most cryptolockers don't bother, though.

If your files should usually not change too much, you could use some version control backed filesystem. This would worsen performance, but a virus attack would become easy to just roll back.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: CryptoLocker Variant Coming After Gamers LXer Syndicated Linux News 0 03-14-2015 12:47 AM
LXer: Is CryptoLocker Ransomware arriving on Android? LXer Syndicated Linux News 1 05-08-2014 08:06 PM
LXer: 16 Ways To Beat Cryptolocker and Ransomware LXer Syndicated Linux News 0 12-23-2013 01:30 PM
CryptoLocker variant szboardstretcher General 1 11-06-2013 03:22 PM
How do we restrict virus infected files to samba sharing ? kgopal30 Linux - Server 2 06-17-2007 06:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration