[Samba] [OT] Re: Ransomware?

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue May 24 17:02:05 UTC 2016 

On 5/23/2016 2:28 AM, Olivier wrote:
> ToddAndMargo <ToddAndMargo at zoho.com> writes:
>
>> On 05/20/2016 06:31 AM, Nico Kadel-Garcia wrote:
>>> Those can also
>>> often be made accessible by Samba as read-only CIFS shares, for people
>>> to recover their own files. It's invaluable for people not to have to
>>> bother their local sysadmin to get last night's copy of the files they
>>> just accidentally deleted. They will appreciate your thoughtfulness,
>>> and you can get back to playing Minecraft.
>> Hi Nico,
>>
>> That is actually brilliant idea.  I have a Samba server coming up
>> in a few weeks.  I think I will implement that.  Thank you!
> There are pros and cons to an easy recovery mechanism. Sure, at first it
> eases the life of the people who manage the system, but some users may
> start relying to heavily on the recovery service, in a way that becomes
> unhealthy, back-up being used as a secondary storage instead of being
> what it is meant to be: a back-up.
>
> That is why I rather beleive in a strong policy that defines what are
> the valid motives for restoration: crashes, etc. (reckless file deletion
> not being a valid one) and a loosy enforcement of the policy, and also
> having users jumps thought enough hoops so that they do not abuse the
> service.
>
> BR,
>
> Olivier
>

I think one of my users was hit with Ransomware yesterday. This user was 
presented with a fake Blue Screen of Death inside a web browser (Windows 
7). The workstation was removed from the network in minutes. Running all 
the necessary scans didn't alert to anything. No services are process 
were running that didn't appear out the norm. Users documents are 
redirected to a member server running Samba. User stated they could no 
longer access their 'My Documents' folder. Looking at the permissions of 
the files and folders, I see many were changed to root:root. Some 
displayed user:domain_users.  Changing all files back to 
user:domain_users allowed access to the redirected files and folders.




-- 
-James

More information about the samba mailing list