[BlueOnyx:22185] Re: Jungle_Sec Ransomware

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Wed Jun 27 08:03:12 -05 2018 

Hi all,
I'll take a brief moment to give response to the questions that were 
posed last night:

On 6/26/2018 10:52 PM, Ken Hohhof wrote:
 > Can you expand on "vulnerable websites"?

This site in particular is mainly WordPress.  I say mainly because there 
are some other CMS modules stitched in as well.  It's a fairly 
specialized one-off site.

But that's a bit beyond the point.  A "vulnerable" site is just that. 
Something that's vulnerable to attack.   I'm not going to paint all 
WordPress sites with a (false) broad brush.  However, there are a lot of 
WordPress admins doing terrible work to properly secure their sites. How 
many times have you seen this? "Something doesn't work right?  Aw, well, 
let's chmod it 777.  Yup that works! Problem solved!"

Basically, I'm just raising the call to keep an eye on what's running on 
your server.  Do some security auditing now and again.  Something look 
strange or out of place?  Shut it down or fix it.   Don't just let 
something go unchecked because it's been fine in the past.


On 6/26/2018 11:04 PM, Fungal Style wrote:

> Was this the only site on the server? If not was it only the vsite affected?
> (If it is just the vSite, then it was contained that is not so bad and we can sleep *a little* tonight...)

There's only one site on the server.

> Although I am assuming it is a blueonyx server, would I be correct?

No, this is a CentOS 6 LAMP box.  As much as I lobbied the customer to 
put BlueOnyx on it when we fired it up as a replacement for an outgoing 
box, there are simply too many customizations.   Could it have been a BX 
box?  Yes.  But it wasn't worth the fight.   The customer liked my 
ideas, but is bound by the comfort & capabilities of an offshore 
development team.   I'm unable to interface directly with the dev team 
due to a language barrier.   I can only speak enough Italian to order 
dinner.

> Do we know how they got in, as in was it a file uploaded via an exploit in the site (or FTP, etc)?

We do not.   It's being looked into, but forensic crypto security isn't 
something that I'd put on my CV.  My current theory is it may have been 
delivered via FTP to the server.   There are hundreds of FTP accounts. 
The question remains as to how it may have been executed.

My staff here is good at many things, but this isn't something we've 
specialized in.  Not a lot is known about Jungle_Sec and it is 
apparently pretty good at covering its tracks.   It's ultimately up to 
the customer to decide if they would like to hand it over to an 
investigator.

Our task is to assist the customer with bringing the site online and 
securing it.  That means determining if the backups are safe, or will 
the same thing happen again once restored?   Right now we're still 
working out the process for provisioning 20TB out of thin air and at a 
moments notice to restore the backups to.   It'll get done.  We're just 
having to get creative.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list