[Samba] Ransomware?
ToddAndMargo
ToddAndMargo at zoho.com
Tue May 17 01:08:36 UTC 2016
On 05/16/2016 08:00 AM, Neil Price wrote:
> #!/bin/sh
>
> updatedb
> wait 20
> if locate DECRYPT > /tmp/cryptowall; then
> mail -s "PANIC! Possible Server Cryptowall found"
> support at domain.com</tmp/cryptowall
> #else
> # echo "not found";
> fi
> if locate --regex INSTRUCTIONS_\.\{3,10}\.png > /tmp/cryptowall1; then
> mail -s "Possible Cryptowall 4.0 found on server"
> support at domain.com </tmp/cryptowall1
> fi
> if locate HELP_YOUR_FILES > /tmp/cryptowall1; then
> mail -s "Possible Crtptwall 4.0 found on server"
> support at domain.com </tmp/cryptowall1
> fi
> if locate .locky > /tmp/cryptowall1; then
> mail -s "Possible Locky crypto found on server"
> support at domain.com </tmp/cryptowall1
> fi
>
> if locate .cerber > /tmp/cryptowall1; then
> mail -s "Possible Cerber crypto found on server"
> support at domain.com </tmp/cryptowall1
> fi
>
> if locate .crypt > /tmp/cryptowall1; then
> mail -s "Possible CRYPTXXX crypto found on server"
> support at domain.com </tmp/cryptowall1
> fi
>
> if locate _DECRYPT_INFO_ > /tmp/cryptowall1; then
> mail -s "Possible Maktub crypto found on server"
> support at domain.com </tmp/cryptowall1
> fi
>
Wow. Thank you!
Maybe add a
systemctl stop smb.service
systemctl stop nmb.service
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the samba
mailing list