[BlueOnyx:22187] Re: Jungle_Sec Ransomware

Fungal Style wayin at hotmail.com
Wed Jun 27 08:46:41 -05 2018 

Chris,

Thank you for the update, I still have a few questions, although maybe not as important now, but...

Do we know if the system files were encrypted? 

What was the indication there was a problem? 
Was it that something on the site was not working and then someone realized file extension were added to say PHP files as an example?

As to vulnerable sites, that is easy, an exploit to allow a single file to be dropped into a folder can give them all the access they need... 
One of my favourites (and not a hacker tool, as I have seen some what can even touch files so the date is not the real date it was added/changed and some which try and get root access, even to the point they modify the rewrite in the .htaccess file):
https://sourceforge.net/projects/extplorer/?source=typ_redirect

So yes I have seen many exploited/defaced and otherwise compromised sites from owners not wanting to spend a little time or money in maintenance and updating (and it costs them more in the end when I have to come in and clean up their site), including shopping carts that were SSL routing CC info elsewhere. 
But my limits with Ransomware is to the Windows environments and I am sorry I cannot in clear conscience offer my services for Linux Ransomware as although I do have enough knowledge to be dangerous with the Ransomware working the same or in a similar way, I do not have the Linux experience. By all means feel free to bounce a question off me and I will tell you if I don't know... ( and who knows maybe I know someone who may know.

Regards
Brian

PS so we can take this offlist now as it is not a BO issue specific.... I can be reached on the following email address if you need to ask a question and want to get a reply from me saying I have no idea... (
wayin at hotmail.com

On 27/6/18, 11:11 pm, "Blueonyx on behalf of Chris Gebhardt - VIRTBIZ Internet" <blueonyx-bounces at mail.blueonyx.it on behalf of cobaltfacts at virtbiz.com> wrote:

    Hi all,
    I'll take a brief moment to give response to the questions that were 
    posed last night:
    
    On 6/26/2018 10:52 PM, Ken Hohhof wrote:
     > Can you expand on "vulnerable websites"?
    
    This site in particular is mainly WordPress.  I say mainly because there 
    are some other CMS modules stitched in as well.  It's a fairly 
    specialized one-off site.
    
    But that's a bit beyond the point.  A "vulnerable" site is just that. 
    Something that's vulnerable to attack.   I'm not going to paint all 
    WordPress sites with a (false) broad brush.  However, there are a lot of 
    WordPress admins doing terrible work to properly secure their sites. How 
    many times have you seen this? "Something doesn't work right?  Aw, well, 
    let's chmod it 777.  Yup that works! Problem solved!"
    
    Basically, I'm just raising the call to keep an eye on what's running on 
    your server.  Do some security auditing now and again.  Something look 
    strange or out of place?  Shut it down or fix it.   Don't just let 
    something go unchecked because it's been fine in the past.
    
    
    On 6/26/2018 11:04 PM, Fungal Style wrote:
    
    > Was this the only site on the server? If not was it only the vsite affected?
    > (If it is just the vSite, then it was contained that is not so bad and we can sleep *a little* tonight...)
    
    There's only one site on the server.
    
    > Although I am assuming it is a blueonyx server, would I be correct?
    
    No, this is a CentOS 6 LAMP box.  As much as I lobbied the customer to 
    put BlueOnyx on it when we fired it up as a replacement for an outgoing 
    box, there are simply too many customizations.   Could it have been a BX 
    box?  Yes.  But it wasn't worth the fight.   The customer liked my 
    ideas, but is bound by the comfort & capabilities of an offshore 
    development team.   I'm unable to interface directly with the dev team 
    due to a language barrier.   I can only speak enough Italian to order 
    dinner.
    
    > Do we know how they got in, as in was it a file uploaded via an exploit in the site (or FTP, etc)?
    
    We do not.   It's being looked into, but forensic crypto security isn't 
    something that I'd put on my CV.  My current theory is it may have been 
    delivered via FTP to the server.   There are hundreds of FTP accounts. 
    The question remains as to how it may have been executed.
    
    My staff here is good at many things, but this isn't something we've 
    specialized in.  Not a lot is known about Jungle_Sec and it is 
    apparently pretty good at covering its tracks.   It's ultimately up to 
    the customer to decide if they would like to hand it over to an 
    investigator.
    
    Our task is to assist the customer with bringing the site online and 
    securing it.  That means determining if the backups are safe, or will 
    the same thing happen again once restored?   Right now we're still 
    working out the process for provisioning 20TB out of thin air and at a 
    moments notice to restore the backups to.   It'll get done.  We're just 
    having to get creative.
    
    -- 
    Chris Gebhardt
    VIRTBIZ Internet Services
    Access, Web Hosting, Colocation, Dedicated
    www.virtbiz.com | toll-free (866) 4 VIRTBIZ
    _______________________________________________
    Blueonyx mailing list
    Blueonyx at mail.blueonyx.it
    http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list