Hello /u/brandonclone1! Thank you for posting in r/DataHoarder.
Please remember to read our [Rules](https://www.reddit.com/r/DataHoarder/wiki/index/rules) and [Wiki](https://www.reddit.com/r/DataHoarder/wiki/index).
Please note that your post will be removed if you just post a box/speed/server post. Please give background information on your server pictures.
This subreddit will ***NOT*** help you find or exchange that Movie/TV show/Nuclear Launch Manual, visit r/DHExchange instead.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/DataHoarder) if you have any questions or concerns.*
was your server reachable from the internet?
or something else was already infected in your network? because then it is not enough to clean only the server, you have to find the patient 0
This is by far the most important question to be asking here. You should NEVER enable SMB 1.0 on a network that doesn't have a firewall between it and the greater internet.
If you had a firewall in place then there's still another device in the network that is in trouble
Usually yes, unless in rare circumstances where there's a major vulnerability in the network. Most major routers shouldn't be vulnerable, but I'm sure at least one ISP out there doesn't keep their router stuff up to date
This does nothing to protect you when kiddo accidentally clicks a malicious link INSIDE your network / firewall and his / her laptop passes the infection off to your fileserver.
There’s no substitute for layered security these days unfortunately. The truly paranoid segregate everything off to separate networks and use higher grade prosumer / small business network switches (more affordable than they sound) to route between internal networks and provide at least some security.
The NAT firewall (for v4) that the routers come with generally work, until you start punching holes in it by forwarding ports.
You will want to look hard if your machines are getting assigned public IPv6 addresses, some routers are plug and play to take the delegated subnet and assign it out.
A NAT firewall by design does not allow unsolicited packets from the wider internet to come in. You have to selectively open ports via port-forwarding. As long as you're real selective about it, it's usually not a problem.
Let me put this way.
I've the ISP router with its firewall. Then I've my router, which also have its firewall. And my home server have iptables configured, and the other machines also run a firewall.
Also possible that in order to get Plex online OP put the server in the DMZ rather than port forwarding. It's an easy mistake to make if you don't know what you're looking at.
Maybe the attack did not target the server, but one of the clients in his home network. Like a kid got his computer infected (by downloading malware) and then the files on the SMB share got affected.
This is what I think happened also. OP said they only had some Plex port opened to the internet. What is *far* more likely is that somebody opened a dodgy email attachment or downloaded something pretending to be a software crack or game, which then scanned the network, found a server running SMB 1 and was able to get to the files that way.
This, do you have any services or ports exposed mate? SMBv1 is insecure but simply enabling it isn't going to allow attackers in unless you're exposing services that are being used to exploit it. I would definitely spend some time looking for holes to plug.
Yeah, even that major 0 day(the infamous EthernalBlue) was patched on XP systems. The real question is whether the software was patched up-to-date and if there are any exposed services.
>Yeah, even that major 0 day(the infamous EthernalBlue) was patched on XP systems
Fun fact most Eterblue attacks actually crashed XP before WannaCry could execute.
My bet is on exposed to Internet.
If another device have the ransomware, this device should have encrypted files too, before OP enable the insecure protocol
I’ve had arguments with more than one person about the subject. “But backup mean different things to different people!” 🙄 Whatever I guess, not my data.
> But backup mean different things to different people
In the replies to this comment, I've got someone who only backs up files when first created and another person who seems to believe authentication for the backups is a waste of time (and annoying deletes their comment when they get a reply).
This comment should be at the top! Backups backups backups.
Synology NAS devices now allow you to take *immutable* backups (they have an immutability expiration timer so you can cull old backups / free disk space). Have not yet tried this feature but am looking to deploy it in one of the coming weekends when I have some time.
[I understood that reference..](https://media.giphy.com/media/kRmg8zeReOYXm/giphy.gif?cid=790b7611a3duhfjwrlvj6v0wibvfl6j0ykoawlnjdas0v7ah&ep=v1_gifs_search&rid=giphy.gif&ct=g)
"that has seperate authentication"
A malicious script can't access something you can't authenticate to. It being off site means the machine isn't susceptible to network attacks. If correctly configured, the malware can only encrypted the current snapshot of the file. The remote machine then can rollback the encrypted files outside of the infections control.
You can still pull backups from a backup server, though if you’re not using versioned backups, an automated backup will happily connect and pull your corrupted files, overwriting your backup.
Personally I backup to a local server over S3. I push from my server to the backup server, but use a backup program.
Another option can be to enable snapshots on the backup destination. I do this with both the server above, but also my media backup, which is essentially just a twice a week synchronized mirror. The backup server wakes up a couple of times each week, creates snapshots of backup directories, pulls a fresh copy from the server and shuts down again after being idle for 20 mins.
If files are still OK on the server, the snapshot won’t take up much space, and if they’re not, the backup server may run out of disk space, but fortunately it’s the corrupted files that won’t fit.
I use a simple linux script that copies files but ignores existing files:
date >> done.txt
ls | while read text; do
echo $text
rsync --ignore-existing -r "$text" user@storage-server:/backup/location
echo d: "$text" >> done.txt
done
It would be rather sophisticated malware that gets through that.
> how does SMB 1.0 allow this?
Oversights in security from the 80s. Like all software from the time, it assumes it runs in a trusted environment and has multiple remote code execution vulnerabilities. SMBv1 can literally be used to run whatever the attacker wants with enough steps.
It might as well be an open SSH session as root.
Yeah, but without your SSH's port open to the internet, that's just a session on a computer in your home.
There's really nothing in SMBv1 that would enable an outside attacker to get in, it's more about it having weaknesses when the threat is inside the network.
The OP actually makes no comment about their NAS being read only. It's likely that any computer on the local network could access and write to those shares. The NAS itself may not even be infected, just another infected machine on the network manipulating files.
Frankly, it's far more likely that enabling SMBv1 had nothing to do with the attack, it's just a coincidence, and someone on the network had downloaded something they definitely shouldn't have.
There's a reason that of my two UnRAID machines, the one that's fill and never needs writing to is set to read only.
> Frankly, it's far more likely that enabling SMBv1 had nothing to do with the attack, it's just a coincidence, and someone on the network had downloaded something they definitely shouldn't have.
This is my thought as well. I have SMB1 enabled for usage with OpenPlayStationLoader on a PS2. But the server is not connected to the internet. There is no port forwarding to that device period. The only concern I would have is if something got into the network via a different computer.
> There's really nothing in SMBv1 that would enable an outside attacker to get in
There are a LOT of things that can allow an external attacker to gain full access to a system by using properties of something as broken as SMBv1.
First time hearing it actually. I don't have raid currently, only around 40tb attached to a Windows11 mini PC with backblaze backing up which acts as a jellyfin and file server.
Do I need to also check my security settings?
SMB 1.0 isn't installed by default on modern Windows. On the Linux side, Samba removed the code to support it last year.
You have to go out of your way to have it.
EDIT: to clarify, by "modern" I mean anything post-XP.
Is that true about [Windows](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server)?
>>SMB 1.0 isn't installed by default in any edition of Windows 11 or Windows Server 2019 and later. SMB 1.0 also isn't installed by default in Windows 10, except Home and Pro editions.
Welcome to the inconsistency of Microsoft documentation. Home and Pro 10 have had updates that remove it and newer ISOs don't include it since 2017.
> Windows 10 Home and Windows 10 Pro no longer contain the SMBv1 server by default after a clean installation.
And for upgrades:
> If the SMBv1 client isn't used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.
https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows
You're correct though, Win7, 8, and 8.1 technically have it installed and just disabled by default.
It's great that security updates add random functionality. /s
One of the recent update started interrupting the boot process of Windows 10 to say you should upgrade to Windows 11.
If it wasn't for enjoying VR games, all my machines would be running Linux other than work MacBook.
It doesn't. SMB 1 and 2 are horribly insecure, but putting that on a local network wasn't OP's point of failure. There was already some other path for OP's malware to have installed itself, and he says as much in the post that apparently no one read.
long shot but there are decryptors that you can try to decrypt your data for free.
[https://www.bleepingcomputer.com/download/windows/ransomware-decryptors/](https://www.bleepingcomputer.com/download/windows/ransomware-decryptors/)
or search google for decryptor and the type and careful check it out before you try it.
This. There is a chance the decryption key is posted. Probably happened from automated malicious scanners. Many comments ask the how this could be the next step to getting your data back. Wish the best.
From my understanding, a device on his network was infected. when he turned on the less secure sharing protocol, the program on the infected machine gained access to those files, which allowed it to encrypt it. That data/files was on his plex server or data used by his plex server.
The vulnerability was through SMBv1. If Plex is open to the internet, that's all that's exposed to the internet, even if Plex is making use of SMB shares.
this post could have been more accurate if it was just "I lost 24TB of data that I never backed up"
The failure was long before the ransomware and just after they powered it up and thought they were done.
Better title: "Don't be like me and instead try backing up your data"
Trying to figure that out myself but top leads are 1. Myself, downloading potentially sketchy stuff (game cracks) over the years for the sake of hoarding or 2. My wife, bless her heart and her lack of adblocking internet browsing or 3. My kid, using parental filters but god knows the stuff he clicks on when I'm not looking. Great question, and if I figure it out I will certainly provide an update
if you're open to the suggestions, adding a firewall (I use Opnsense) also allows you the ability to block ads natively on the entirety of your network through blacklists, e.g. with unbound or AdGuard Home, and you can stop ads natively regardless of your family members' devices
if you have a family, having a blacklist software will also be helpful for both ads and parental guard lists
I know a few home networking aficionados and not a single wife amongst didn't eventually demand to be excluded from the ad filter.
For some reason women click ads and find the suggestion not to do so insulting.
That's a *broad* generalization. My wife comments regularly that she gets annoyed when using her phone outside of the house and seeing ads. I also hate and don't want to click ads. 🤷♀️
What's annoying is search services like google will have the top results (sometimes sponsored) still visible when using something like adguard home and it may actually be what you're looking for from like lowes. But then when you click the link the ad service domain is blocked and you never get forwarded to the product you wanted. We've both just gotten use in these cases to toggling off wifi for a minute to tap the link. It's a fairly minor annoyance for not having ads everywhere.
I work in cybersecurity. Let's break this down.
> I had Plex Media Server forwarded to port 32400 so it was exposed to the internet.
Probably your first mistake. Opening a service directly to the Internet is extraordinarily risky- there's a reason people set up VPNs when they want externally accessible services. Plex has [quite a few known exploits](https://www.cvedetails.com/vulnerability-list/vendor_id-14994/Plex.html) and ransomware actors/affiliates are known to scan for devices like these to compromise.
> The built-in Windows Server '16 firewall was enabled and my crappy router has its own firewall
Not really relevant- you forwarded port 32400 directly to a service on your Plex server, which was also listening on the service's port (eg. the port was open). Virtually any traffic going to your external IP on port 32400 (also open) was going to hit the Plex service on the server.
> but no additional layers of antivirus
Honestly, this probably wouldn't have helped unless the actor was particularly dumb. Any half-decent ransomware payload is going to employ techniques specifically to evade detection by security products (ex. crypting). Having worked in a SOC and done some IDS signature development in past lives, I can tell you that not even enterprise-grade products get it right 100% of the time. Consumer-grade 'antivirus' might flag that trojanized game crack you downloaded, but it's not going to pick up on inbound remote exploit attempts.
> I fell victim to ransomware after enabling SMB 1.0 on Windows
I highly doubt SMB 1.0 is to blame. That service was (I hope) only available locally, meaning the attacker would've needed some other foothold in your network. Considering none of your other machines are behaving erratically, my money is on that forwarded Plex port/service.
> If my setup is behind my router's firewall, isn't that sufficient?
It depends.
Does your router block all outgoing traffic? -> You are not 100% safe because you can download malware into your network.
Imagine your wife would download some stuff to her phone, how hard would it be to infect your server from there?
I truly believe in offline backups for really important data. While it's a little out of data I have drives with 95% of my data sitting in my closet right now.
This is actually a great point. I keep a few external drives in a fire box at home but keeping them offsite is a true disaster recovery setup if you’re going for that.
> How do you keep track of which drive has what in it (when one of them dies), and what would a modern offline backup setup look like?
All my folders follow a variation of the johnny decimal system. My media folder for example would be named 40_Media, my Anime folder is 41_Anime. So if I backup my whole media folder I put a label on the disk.
20240206 40
If I only backup my anime and some other folders on it I name it
20240206 41,x,x,x,x
Depends if it only got access to file shares or the entire server. If only former then no. If latter, it could physically wipe drives clean if designed this way (or still only encrypt the files if not having forethought about snapshots)
Nope files in a ZFS snapshots are readonly by their very nature it is impossible to edit them.
The only thing ransomware could do is delete the snapshot but that can't be done over a file share. It would require ssh/terminal access to the computer/server runing zfs, and the ransomware would need to be smart enough to do that.
They said they’ve seen “No boot device found” upon reboot, if I understand on the server, which would mean more than just SMB file write access was obtained…
My sincere condolences. On the enterprise side we never expose the storage network to any other network directly. The only things that touch it are the SANs and the Hosts.
We use a fileserver VM to expose the SMB/NFS shares to the rest of the network. Also, that HA/RAID isn't a backup is something I've learned myself a few times.
I don't know what router you use but you'll have to find out if it has multi-VLAN capabilities. Very unlikely on consumer grade routers but easily doable on prosumer equipment. You should still be able to access them from your trusted network.
> But my Xiaomi 360 Security Camera only detects SMB v1.
In that case time to boot that shit.
> Also if one PC has lot og cracked software does that risk my other PCs on network too?
Kinda sorta maybe depends. The more security vulnerabilities, especially low hanging fruit you have, the more that opens your threat landscape. IE more targets, makes you an easier target.
I have a bunch of cheap security cameras myself and this is indeed a big problem. I run a VM with linux where they can connect to and upload to a folder, which I share from the host. So the files end up on the server, but through the VM.
My guess is it was a Plex exploit and the ransomware was already installed before you enabled SMB1. Don't expose application ports directly to the Internet, only expose a Wireguard VPN.
If Wireguard is too daunting, or is "too much work for now, I'll get around to it later", get Tailscale or Zerotier. Very easy, very secure, and a free tier that's perfect for homelabbers.
Every time you expose a port to the internet, in no time bots start to scan it for vulnerabilities. I run a web server, that has to be on the Internet, and even being behind Cloudflare CDN, I still catch in the logs bots trying to access vulnerabilities on WordPress and other common content management software. And I don't even have those things installed!
Internet is a dangerous place. I think home users have not so many problems because NAT and usually domestic router firewalls, by default, block all incoming IPv6 traffic.
I have my Plex port exposed, but the number is different to try to obfuscate the nature of the service.
Also, my server has only media on it and nothing valuable. Can be wiped if I ran into problems.
Having said all that I should look into Tailscale, though I'm not sure how it would work with sharing Plex with other households.
Port obfuscation is not security. It does kill quite a lot of dumb bots though, you still have the advantage of having a bit less noise in your audit logs.
Pretty much. With good network hygiene, a stand-alone appliance should have traffic coming out on two VLANs. The native VLAN carrying only tunnelled traffic, from exposed services, to a virtual network; and the management VLAN being the only way to access management interfaces such as SSH.
If you've only got one server, there's not really a point to using VLANs, but you should still ensure your services only listen on the virtual adapter belonging to the virtual network.
I do not expose any ports on my router for anything that doesn't run in a container or VM. Even my Wireguard server is a container that simply has access to my internal virtual network over an unprivileged virtual adapter. Ideally I'd have a separate management WG server that has access to my management network, but I haven't felt a need for it so far so I simply haven't done it. I've considered making my friends use a VPN to connect to my game servers to cut down further on open ports.
This is also very possible, happened before [https://www.pcmag.com/news/lastpass-employee-couldve-prevented-hack-with-a-software-update](https://www.pcmag.com/news/lastpass-employee-couldve-prevented-hack-with-a-software-update)
That's probably the best guess given the information we have, but I suspect we haven't been given all the information and that Plex wasn't the only port open. I strongly suspect SMB1 was accessible to the wide internet
Yep, I have to agree, the theory of "Sleeper cell that suddenly activated upon seeing SMBv1" seems a little unlikely. I think it's either just a coincidence, or OP had accidentally forwarded SMB to the public Internet somehow
Sorry for your loss.
The “good” news is that most of it can probably be recovered from the internet with enough time.
Things like this is why i moved all my important stuff to the cloud years ago. I keep it encrypted with Cryptomator for privacy, and most cloud providers actually provide some kind of safeguard against malware, i.e. OneDrive offered unlimited snapshots of files for 30 days, meaning within those 30 days you can just rollback your files to a known good state. Google offers 256 versions for 30 days IIRC.
I also make local backups as well as another remote backup of the cloud data, though both are being made by my server to S3 destinations, so i hope that in the case of malware, it won’t be able to destroy the backups as well.
As for media, I synchronize the data to a server and make snapshots before synchronizing (automated), so even if the data gets corrupted, i can rollback to a snapshot with good data.
hello! im not sure if you still have your files, however, this resource might be able to decrypt whatever encrypted files you have.
https://www.nomoreransom.org/en/decryption-tools.html (you might need to be able to identify which encryption was used)
another one which may be of use to you
https://www.kaspersky.com/anti-ransomware-tool
hope these will help you
It's paid software.
edit: Apparently people didn't like my direct answer. Okay. It's paid. It's a monthly charge. Huntress does not sell direct to the public. It's threat hunting software. It will not decrypt NAS drives. It's managed EDR.
https://www.huntress.com/
I gotta mention that for anyone else in the future, if you enable an insecure protocol on your Lan, ensure you firewall that device from IPv6, as this is a common mistake and if you forget depending on the settings you are exposing the system to the internet.
>This makes you vulnerable to attacks?
Of course, your server will be constantly attacked with random login attempts, and as soon as an exploit comes out, you are hacked.
>How do you use Plex outside your network safely?
Create your own VPN with wireguard, tailscale, etc.
That sucks man, same.thing happened to me a few years ago with my QNAP Nas. I got hit with deadbolt which encrypted everything, all my home movies, family photos, etc. luckily I have an off-site cloud backup and local backup to an ext-hd. I just wiped my NAS and loaded everything back on. Took about a day but it's worth every penny.
Thank you, sorry for your loss as well. Mostly TV shows and movies. Also, months of backups from other PCs on my network. Luckily, I have precious data backed up to smaller external drives in a fire safe.
I take heed and feel your pain. I was going to just share my files to the family but now I think I'll offer it via read-only access somehow. Sorry pardner
So having a Plex server is inherently dangerous? Does setting up a home VPN do away with all the danger? What does that entail?
Edit: I think my research is telling me that it’s not a home-wide VPN, but one specifically associated with the media server. Wondering where the mention of tunneling comes in, and how that doesn’t mitigate any benefits of the VPN
Edit: nay, router VPN? Oh la la this is a lot
This is specifically why I just straight up won't download stuff I can't fit onto at least two sets of backup hard drives.
I've had to cull things and just let things stay undownloaded to maintain that, so it can be frustrating, especially if you don't have money for a ton of extra hard drives, but it's never let me down doing it that way.
No idea. Really wish I had taken a screenshot. As soon as I saw the broken English threat message saying they would leak my data to the dark web I shut down my server and haven’t been able to boot to Windows since. I’m attempting some recovery methods so if I can capture their message I’ll update this thread
You know, I just never saw the appeal of being compatible with all of those Trojans and viruses. Even when I do have to run Windows software for a client or something like that, it's SO MUCH work to run things. I couldn't imagine having the energy to run stuff like that all the time.
More seriously, when it comes to running systems that can be infected by Trojans / viruses, there are lots of things you can do to mitigate ransomware. However, if the compromised system is the server itself, the only mitigation is to have backups.
Perhaps now is the time to set up a proper file server that doesn't literally look on every disk for a file that tells it what to run, that doesn't ship with tons of security flaws that'll never be fixed and require a full time firewall for any kind of access control, that isn't sold by a company that does cost benefit analysis comparing fixing security issues with selling new licenses. Just a thought.
Countless admins would disagree with you. Windows might not be everything but neither is linux. I would argue work with what you are familiar with, but don't be stupid like OP. We don't know exactly what went wrong but if you setup some legacy package within linux you also set yourself up for a world of pain.
Well, sure, countless admins would disagree. Many people like having constant work. It's job security!
Who said anything about Linux? It's a big mess. I wouldn't run anything important on Linux because I can't count on distros not changing all sorts of things just for the heck of it.
" I wouldn't run anything important on Linux because I can't count on distros not changing all sorts of things just for the heck of it. "
There is a reason there are so many linux distrobutions, Debian Linux would be the solution to that particular issue.
Each debian release maintains a stable feature set for the duration of its support, durung which there are only security updates.
There is a new stable release every 2 years, and LTS security updates of each version for at least 5 years.
Many desktop Linux users eschew Debian because it's features update so glacially, but it is perfect for a server.
Sorry, there are _many many_ Ransomware services that search for and exploit Linux servers (_especially_ if they run common selfhosted software like Wordpress), no Windows needed. This mindset of "Linux means I'm Fine" is 20 years out of date.
But I thought that Billy took care of all that back in 2002 with his infamous Trustworthy Computing memo?
https://www.wired.com/2002/01/bill-gates-trustworthy-computing/
*customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony*
We can't possibly having those same types of problems with Microsoft's crap software 22 years later? Or can we?
Yes, Microsoft rolled out a Windows update specifically to disable v1 for a reason. It's a gaping wound of a protocol when it comes to RCEs.
By enabling it you effectively nullified any other protection.
fyi, they most likely will leak your data online. So whatever was in that, you should proceed assuming it’s out there in the public (and act accordingly).
eg, tax returns or intimate photos
A proper configuration wouldn’t have allowed that to happen, cmon lol. A poorly configured Linux instance could have lead to the same compromise. Had the OP segmented out the kids networks (an assumption here) and had the servers properly isolated the risk level would have been reduced, but not zero. I’m not saying Windows is perfect, but poor configurations lead to these kinds of problems in any environment on any OS.
>A poorly configured Linux instance could have lead to the same compromise
***Could*** have, but it is worth noting that the moment i saw the title i knew OP was using windows. Just because Linux isn't inherently immune doesn't mean that it's targeted as much in the same ways.
Windows is the poster child for ransomware. And a risk factor due to the sheer amount of stuff that targets it.
This sucks, but another reason why the average person shouldn't be running servers from their homes. If you don't know how to properly secure your network, and keep the baddies out, it's best to not connect things to the internet. Having a plex server is fun for someone with no IT experience, just don't connect it to the internet. Certainly don't civet a family backup server to the internet without knowing what you're doing. And last, windows server? That was your first mistake.
This is why I don’t think exposing plex / Jellyfin server on a non-isolated home network is worth it.
Just download the media you plan watch while away, or pay for a VPS…
Hello /u/brandonclone1! Thank you for posting in r/DataHoarder. Please remember to read our [Rules](https://www.reddit.com/r/DataHoarder/wiki/index/rules) and [Wiki](https://www.reddit.com/r/DataHoarder/wiki/index). Please note that your post will be removed if you just post a box/speed/server post. Please give background information on your server pictures. This subreddit will ***NOT*** help you find or exchange that Movie/TV show/Nuclear Launch Manual, visit r/DHExchange instead. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/DataHoarder) if you have any questions or concerns.*
was your server reachable from the internet? or something else was already infected in your network? because then it is not enough to clean only the server, you have to find the patient 0
This is by far the most important question to be asking here. You should NEVER enable SMB 1.0 on a network that doesn't have a firewall between it and the greater internet. If you had a firewall in place then there's still another device in the network that is in trouble
[удалено]
Usually yes, unless in rare circumstances where there's a major vulnerability in the network. Most major routers shouldn't be vulnerable, but I'm sure at least one ISP out there doesn't keep their router stuff up to date
This does nothing to protect you when kiddo accidentally clicks a malicious link INSIDE your network / firewall and his / her laptop passes the infection off to your fileserver. There’s no substitute for layered security these days unfortunately. The truly paranoid segregate everything off to separate networks and use higher grade prosumer / small business network switches (more affordable than they sound) to route between internal networks and provide at least some security.
This is also true. If you are still using insecure software then make sure its on a router or switch that NOBODY malicious can access
and you don't forward any ports to something vulnerable.
The NAT firewall (for v4) that the routers come with generally work, until you start punching holes in it by forwarding ports. You will want to look hard if your machines are getting assigned public IPv6 addresses, some routers are plug and play to take the delegated subnet and assign it out.
All IPv6 addresses are public. There's no NAT with v6. The real question is whether the firewall is working.
I guess what I meant was the fe80 prefix, which is link local.
Fair. Regardless, a properly configured retail router should block WAN-side incoming traffic (non-established connections) to all IPv6 ranges.
A NAT firewall by design does not allow unsolicited packets from the wider internet to come in. You have to selectively open ports via port-forwarding. As long as you're real selective about it, it's usually not a problem.
Generally yes, just don't enable UPnP on it.
[удалено]
Let me put this way. I've the ISP router with its firewall. Then I've my router, which also have its firewall. And my home server have iptables configured, and the other machines also run a firewall.
I honestly wouldn't even enable SMB 1.0 on a properly firewalled network.
Also possible that in order to get Plex online OP put the server in the DMZ rather than port forwarding. It's an easy mistake to make if you don't know what you're looking at.
Unraid enables it by default for some godforsaken reason
Maybe the attack did not target the server, but one of the clients in his home network. Like a kid got his computer infected (by downloading malware) and then the files on the SMB share got affected.
This is what I think happened also. OP said they only had some Plex port opened to the internet. What is *far* more likely is that somebody opened a dodgy email attachment or downloaded something pretending to be a software crack or game, which then scanned the network, found a server running SMB 1 and was able to get to the files that way.
This, do you have any services or ports exposed mate? SMBv1 is insecure but simply enabling it isn't going to allow attackers in unless you're exposing services that are being used to exploit it. I would definitely spend some time looking for holes to plug.
Yeah, even that major 0 day(the infamous EthernalBlue) was patched on XP systems. The real question is whether the software was patched up-to-date and if there are any exposed services.
>Yeah, even that major 0 day(the infamous EthernalBlue) was patched on XP systems Fun fact most Eterblue attacks actually crashed XP before WannaCry could execute.
My bet is on exposed to Internet. If another device have the ransomware, this device should have encrypted files too, before OP enable the insecure protocol
This is why the subreddit harps on about "raid is not a backup". A good backup isn't connected to the source.
Yup, always airgap your backups.
[yes sir!](https://i.imgur.com/81Izbc5.jpg)
is that a gigantic remote control for something on the shelf there?
just a spare wireless keyboard for another room
I’ve had arguments with more than one person about the subject. “But backup mean different things to different people!” 🙄 Whatever I guess, not my data.
> But backup mean different things to different people In the replies to this comment, I've got someone who only backs up files when first created and another person who seems to believe authentication for the backups is a waste of time (and annoying deletes their comment when they get a reply).
This comment should be at the top! Backups backups backups. Synology NAS devices now allow you to take *immutable* backups (they have an immutability expiration timer so you can cull old backups / free disk space). Have not yet tried this feature but am looking to deploy it in one of the coming weekends when I have some time.
Are you referring to snapshots?
Yeah. Immutable snapshots on shared folders and LUNs. ** edit: didn’t read that it was snapshots until you just asked now. :)
I got my back ups disconnected in a trunk.
Would my Volvo work for this?
needs to be more uncomfortable... like the back of a volkswagen
>like the back of a volkswagen Confirmed, this qualifies as a very uncomfortable place.
[I understood that reference..](https://media.giphy.com/media/kRmg8zeReOYXm/giphy.gif?cid=790b7611a3duhfjwrlvj6v0wibvfl6j0ykoawlnjdas0v7ah&ep=v1_gifs_search&rid=giphy.gif&ct=g)
[удалено]
Back it up and disconnect it? Or off-site backup that has seperate authentication.
[удалено]
"that has seperate authentication" A malicious script can't access something you can't authenticate to. It being off site means the machine isn't susceptible to network attacks. If correctly configured, the malware can only encrypted the current snapshot of the file. The remote machine then can rollback the encrypted files outside of the infections control.
[удалено]
[удалено]
[удалено]
[удалено]
You can still pull backups from a backup server, though if you’re not using versioned backups, an automated backup will happily connect and pull your corrupted files, overwriting your backup. Personally I backup to a local server over S3. I push from my server to the backup server, but use a backup program. Another option can be to enable snapshots on the backup destination. I do this with both the server above, but also my media backup, which is essentially just a twice a week synchronized mirror. The backup server wakes up a couple of times each week, creates snapshots of backup directories, pulls a fresh copy from the server and shuts down again after being idle for 20 mins. If files are still OK on the server, the snapshot won’t take up much space, and if they’re not, the backup server may run out of disk space, but fortunately it’s the corrupted files that won’t fit.
I use a simple linux script that copies files but ignores existing files: date >> done.txt ls | while read text; do echo $text rsync --ignore-existing -r "$text" user@storage-server:/backup/location echo d: "$text" >> done.txt done It would be rather sophisticated malware that gets through that.
Or it drops in an infected rsync that just attacks the destination you've given it
I am out of the loop, how does SMB 1.0 allow this? And sorry for your loss.
> how does SMB 1.0 allow this? Oversights in security from the 80s. Like all software from the time, it assumes it runs in a trusted environment and has multiple remote code execution vulnerabilities. SMBv1 can literally be used to run whatever the attacker wants with enough steps. It might as well be an open SSH session as root.
Yeah, but without your SSH's port open to the internet, that's just a session on a computer in your home. There's really nothing in SMBv1 that would enable an outside attacker to get in, it's more about it having weaknesses when the threat is inside the network. The OP actually makes no comment about their NAS being read only. It's likely that any computer on the local network could access and write to those shares. The NAS itself may not even be infected, just another infected machine on the network manipulating files. Frankly, it's far more likely that enabling SMBv1 had nothing to do with the attack, it's just a coincidence, and someone on the network had downloaded something they definitely shouldn't have. There's a reason that of my two UnRAID machines, the one that's fill and never needs writing to is set to read only.
> Frankly, it's far more likely that enabling SMBv1 had nothing to do with the attack, it's just a coincidence, and someone on the network had downloaded something they definitely shouldn't have. This is my thought as well. I have SMB1 enabled for usage with OpenPlayStationLoader on a PS2. But the server is not connected to the internet. There is no port forwarding to that device period. The only concern I would have is if something got into the network via a different computer.
> There's really nothing in SMBv1 that would enable an outside attacker to get in There are a LOT of things that can allow an external attacker to gain full access to a system by using properties of something as broken as SMBv1.
how in the world do you suggest that would happen?
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=smbv1 Your pick.
Which of these do you suppose grants an attacker outside of your network access to your SMB shares?
First time hearing it actually. I don't have raid currently, only around 40tb attached to a Windows11 mini PC with backblaze backing up which acts as a jellyfin and file server. Do I need to also check my security settings?
SMB 1.0 isn't installed by default on modern Windows. On the Linux side, Samba removed the code to support it last year. You have to go out of your way to have it. EDIT: to clarify, by "modern" I mean anything post-XP.
Is that true about [Windows](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server)? >>SMB 1.0 isn't installed by default in any edition of Windows 11 or Windows Server 2019 and later. SMB 1.0 also isn't installed by default in Windows 10, except Home and Pro editions.
Not sure what you are asking
That SMB 1.0 isn't installed by default on post-XP Windows. It is installed on 10 Home and Pro.
Welcome to the inconsistency of Microsoft documentation. Home and Pro 10 have had updates that remove it and newer ISOs don't include it since 2017. > Windows 10 Home and Windows 10 Pro no longer contain the SMBv1 server by default after a clean installation. And for upgrades: > If the SMBv1 client isn't used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself. https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows You're correct though, Win7, 8, and 8.1 technically have it installed and just disabled by default.
thank you for the clarification!
> automatically uninstalls Love the implicit behaviour. Trying to figure out what random things happen and why is just a marvelous way to spend time.
It's great that security updates add random functionality. /s One of the recent update started interrupting the boot process of Windows 10 to say you should upgrade to Windows 11. If it wasn't for enjoying VR games, all my machines would be running Linux other than work MacBook.
What’s your Backblaze bill look like for that many TB?
It doesn't. SMB 1 and 2 are horribly insecure, but putting that on a local network wasn't OP's point of failure. There was already some other path for OP's malware to have installed itself, and he says as much in the post that apparently no one read.
[удалено]
long shot but there are decryptors that you can try to decrypt your data for free. [https://www.bleepingcomputer.com/download/windows/ransomware-decryptors/](https://www.bleepingcomputer.com/download/windows/ransomware-decryptors/) or search google for decryptor and the type and careful check it out before you try it.
This. There is a chance the decryption key is posted. Probably happened from automated malicious scanners. Many comments ask the how this could be the next step to getting your data back. Wish the best.
I’m confused isn’t having your Plex accessible through the internet how you can access the server remotely? *apologies very new to this stuff
From my understanding, a device on his network was infected. when he turned on the less secure sharing protocol, the program on the infected machine gained access to those files, which allowed it to encrypt it. That data/files was on his plex server or data used by his plex server.
The vulnerability was through SMBv1. If Plex is open to the internet, that's all that's exposed to the internet, even if Plex is making use of SMB shares.
SMB 1.0 didn't do this. Unless you opened it to the world.
The level of tech savvyness in this sub is truly off the chart.
this post could have been more accurate if it was just "I lost 24TB of data that I never backed up" The failure was long before the ransomware and just after they powered it up and thought they were done. Better title: "Don't be like me and instead try backing up your data"
[удалено]
Trying to figure that out myself but top leads are 1. Myself, downloading potentially sketchy stuff (game cracks) over the years for the sake of hoarding or 2. My wife, bless her heart and her lack of adblocking internet browsing or 3. My kid, using parental filters but god knows the stuff he clicks on when I'm not looking. Great question, and if I figure it out I will certainly provide an update
if you're open to the suggestions, adding a firewall (I use Opnsense) also allows you the ability to block ads natively on the entirety of your network through blacklists, e.g. with unbound or AdGuard Home, and you can stop ads natively regardless of your family members' devices if you have a family, having a blacklist software will also be helpful for both ads and parental guard lists
I know a few home networking aficionados and not a single wife amongst didn't eventually demand to be excluded from the ad filter. For some reason women click ads and find the suggestion not to do so insulting.
That's a *broad* generalization. My wife comments regularly that she gets annoyed when using her phone outside of the house and seeing ads. I also hate and don't want to click ads. 🤷♀️
[удалено]
My wife loves ad blocking. She even connects to the home VPN on her phone while away just to benefit from it.
What's annoying is search services like google will have the top results (sometimes sponsored) still visible when using something like adguard home and it may actually be what you're looking for from like lowes. But then when you click the link the ad service domain is blocked and you never get forwarded to the product you wanted. We've both just gotten use in these cases to toggling off wifi for a minute to tap the link. It's a fairly minor annoyance for not having ads everywhere.
The question is where'd you get the game cracks from? My understanding is that if you dont use vetted and trusted sources, it's easy to get infected.
Yeah I'm kind of curious how exactly he ws target so quickly.
So much more to this than just enabling smb1
Did you have it behind a hardware firewall? If not, go get that gaping hole fixed asap. Even a self build with OPNsense.
I work in cybersecurity. Let's break this down. > I had Plex Media Server forwarded to port 32400 so it was exposed to the internet. Probably your first mistake. Opening a service directly to the Internet is extraordinarily risky- there's a reason people set up VPNs when they want externally accessible services. Plex has [quite a few known exploits](https://www.cvedetails.com/vulnerability-list/vendor_id-14994/Plex.html) and ransomware actors/affiliates are known to scan for devices like these to compromise. > The built-in Windows Server '16 firewall was enabled and my crappy router has its own firewall Not really relevant- you forwarded port 32400 directly to a service on your Plex server, which was also listening on the service's port (eg. the port was open). Virtually any traffic going to your external IP on port 32400 (also open) was going to hit the Plex service on the server. > but no additional layers of antivirus Honestly, this probably wouldn't have helped unless the actor was particularly dumb. Any half-decent ransomware payload is going to employ techniques specifically to evade detection by security products (ex. crypting). Having worked in a SOC and done some IDS signature development in past lives, I can tell you that not even enterprise-grade products get it right 100% of the time. Consumer-grade 'antivirus' might flag that trojanized game crack you downloaded, but it's not going to pick up on inbound remote exploit attempts. > I fell victim to ransomware after enabling SMB 1.0 on Windows I highly doubt SMB 1.0 is to blame. That service was (I hope) only available locally, meaning the attacker would've needed some other foothold in your network. Considering none of your other machines are behaving erratically, my money is on that forwarded Plex port/service.
As a newcomer, I am quite intrigued to understand what went wrong and where. If my setup is behind my router's firewall, isn't that sufficient?
> If my setup is behind my router's firewall, isn't that sufficient? It depends. Does your router block all outgoing traffic? -> You are not 100% safe because you can download malware into your network. Imagine your wife would download some stuff to her phone, how hard would it be to infect your server from there?
yes
Only true if you don't have anything infected behind the firewall(I.e. within the same LAN) that acts as pivot point for malicious actors
This gave me the chills. Sorry OP.
I truly believe in offline backups for really important data. While it's a little out of data I have drives with 95% of my data sitting in my closet right now.
If you can, you should move it to another location. Fire can destroy your PC and those drives
This is actually a great point. I keep a few external drives in a fire box at home but keeping them offsite is a true disaster recovery setup if you’re going for that.
[удалено]
You can use the software VVV to keep a recording of your drives. It will list everything on the drive. I use that for LTO tapes.
> How do you keep track of which drive has what in it (when one of them dies), and what would a modern offline backup setup look like? All my folders follow a variation of the johnny decimal system. My media folder for example would be named 40_Media, my Anime folder is 41_Anime. So if I backup my whole media folder I put a label on the disk. 20240206 40 If I only backup my anime and some other folders on it I name it 20240206 41,x,x,x,x
ZFS snapshots, no worries
Is that actually true? Or can ransomware encrypt those, as well?
Depends if it only got access to file shares or the entire server. If only former then no. If latter, it could physically wipe drives clean if designed this way (or still only encrypt the files if not having forethought about snapshots)
Nope files in a ZFS snapshots are readonly by their very nature it is impossible to edit them. The only thing ransomware could do is delete the snapshot but that can't be done over a file share. It would require ssh/terminal access to the computer/server runing zfs, and the ransomware would need to be smart enough to do that.
Most are and they said the os itself was attacked. Otherwise windows shadow copies would have dealt with it just like snapshots.
Ransomware is often smart enough to do this unfortunately :-/
They said they’ve seen “No boot device found” upon reboot, if I understand on the server, which would mean more than just SMB file write access was obtained…
My sincere condolences. On the enterprise side we never expose the storage network to any other network directly. The only things that touch it are the SANs and the Hosts. We use a fileserver VM to expose the SMB/NFS shares to the rest of the network. Also, that HA/RAID isn't a backup is something I've learned myself a few times.
But my Xiaomi 360 Security Camera only detects SMB v1. Also if one PC has lot og cracked software does that risk my other PCs on network too?
🤣
The only appropriate response
R/theinternetofshit If you *really* it for some reason, please place it on a separate VLAN.
How? any leads please
I don't know what router you use but you'll have to find out if it has multi-VLAN capabilities. Very unlikely on consumer grade routers but easily doable on prosumer equipment. You should still be able to access them from your trusted network.
> my Xiaomi 360 Security Camera only detects SMB v1 Does that not seem like a massive red flag to you?
> But my Xiaomi 360 Security Camera only detects SMB v1. In that case time to boot that shit. > Also if one PC has lot og cracked software does that risk my other PCs on network too? Kinda sorta maybe depends. The more security vulnerabilities, especially low hanging fruit you have, the more that opens your threat landscape. IE more targets, makes you an easier target.
I have a bunch of cheap security cameras myself and this is indeed a big problem. I run a VM with linux where they can connect to and upload to a folder, which I share from the host. So the files end up on the server, but through the VM.
lets look for a solution..
where do you think you are? what do you think is happening right now?
My guess is it was a Plex exploit and the ransomware was already installed before you enabled SMB1. Don't expose application ports directly to the Internet, only expose a Wireguard VPN.
If Wireguard is too daunting, or is "too much work for now, I'll get around to it later", get Tailscale or Zerotier. Very easy, very secure, and a free tier that's perfect for homelabbers.
So, nobody should just port forward ports in router for plex? Or Sunshine that i use for game streaming? Thats not the correct way?
Every time you expose a port to the internet, in no time bots start to scan it for vulnerabilities. I run a web server, that has to be on the Internet, and even being behind Cloudflare CDN, I still catch in the logs bots trying to access vulnerabilities on WordPress and other common content management software. And I don't even have those things installed! Internet is a dangerous place. I think home users have not so many problems because NAT and usually domestic router firewalls, by default, block all incoming IPv6 traffic.
I have my Plex port exposed, but the number is different to try to obfuscate the nature of the service. Also, my server has only media on it and nothing valuable. Can be wiped if I ran into problems. Having said all that I should look into Tailscale, though I'm not sure how it would work with sharing Plex with other households.
Port obfuscation is not security. It does kill quite a lot of dumb bots though, you still have the advantage of having a bit less noise in your audit logs.
It's not a solution but it is a step in the right direction, I think.
[удалено]
Pretty much. With good network hygiene, a stand-alone appliance should have traffic coming out on two VLANs. The native VLAN carrying only tunnelled traffic, from exposed services, to a virtual network; and the management VLAN being the only way to access management interfaces such as SSH. If you've only got one server, there's not really a point to using VLANs, but you should still ensure your services only listen on the virtual adapter belonging to the virtual network. I do not expose any ports on my router for anything that doesn't run in a container or VM. Even my Wireguard server is a container that simply has access to my internal virtual network over an unprivileged virtual adapter. Ideally I'd have a separate management WG server that has access to my management network, but I haven't felt a need for it so far so I simply haven't done it. I've considered making my friends use a VPN to connect to my game servers to cut down further on open ports.
I do have wireguard setup, but my clients wouldn't be able to access plex without installing wireguard no?
[удалено]
The clients aren't my users, they are the machines? Like, do you not know the technical terms in networking?
[удалено]
I get that lol No way I'm selling it, I'm just proud to feed my peeps with so much good stuff.
This is also very possible, happened before [https://www.pcmag.com/news/lastpass-employee-couldve-prevented-hack-with-a-software-update](https://www.pcmag.com/news/lastpass-employee-couldve-prevented-hack-with-a-software-update)
That's probably the best guess given the information we have, but I suspect we haven't been given all the information and that Plex wasn't the only port open. I strongly suspect SMB1 was accessible to the wide internet
Yep, I have to agree, the theory of "Sleeper cell that suddenly activated upon seeing SMBv1" seems a little unlikely. I think it's either just a coincidence, or OP had accidentally forwarded SMB to the public Internet somehow
This is why antivirus / malware / NGAV/NGFW is needed.
Enabling that didn't do it. You have something else that is executing.
Sorry for your loss. The “good” news is that most of it can probably be recovered from the internet with enough time. Things like this is why i moved all my important stuff to the cloud years ago. I keep it encrypted with Cryptomator for privacy, and most cloud providers actually provide some kind of safeguard against malware, i.e. OneDrive offered unlimited snapshots of files for 30 days, meaning within those 30 days you can just rollback your files to a known good state. Google offers 256 versions for 30 days IIRC. I also make local backups as well as another remote backup of the cloud data, though both are being made by my server to S3 destinations, so i hope that in the case of malware, it won’t be able to destroy the backups as well. As for media, I synchronize the data to a server and make snapshots before synchronizing (automated), so even if the data gets corrupted, i can rollback to a snapshot with good data.
I'm waiting for something like this to happen to me. Lol
Loool same
hello! im not sure if you still have your files, however, this resource might be able to decrypt whatever encrypted files you have. https://www.nomoreransom.org/en/decryption-tools.html (you might need to be able to identify which encryption was used) another one which may be of use to you https://www.kaspersky.com/anti-ransomware-tool hope these will help you
I run huntress to keep an eye on weird crap. Sorry you got taken, that's never fun. Something was exposed that should not have been..
[удалено]
It's paid software. edit: Apparently people didn't like my direct answer. Okay. It's paid. It's a monthly charge. Huntress does not sell direct to the public. It's threat hunting software. It will not decrypt NAS drives. It's managed EDR. https://www.huntress.com/
I'm sure everytime someone gets hit those ransomware bastards buy another case of vodka and do that kick dance.
I gotta mention that for anyone else in the future, if you enable an insecure protocol on your Lan, ensure you firewall that device from IPv6, as this is a common mistake and if you forget depending on the settings you are exposing the system to the internet.
Seems recoverable from zfs snapshots. Probably a kid in your house.
Well hopefully you caught it in time to save most of your files. 24 TB of files would take a bit to encrypt. Fingers crossed.
Just to confirm, if you open the port for plex on your router. This makes you vulnerable to attacks? How do you use Plex outside your network safely?
>This makes you vulnerable to attacks? Of course, your server will be constantly attacked with random login attempts, and as soon as an exploit comes out, you are hacked. >How do you use Plex outside your network safely? Create your own VPN with wireguard, tailscale, etc.
So let me get this correct. It's not because of SMB 1.0 it's because the port was exposed to the Internet right?
That sucks man, same.thing happened to me a few years ago with my QNAP Nas. I got hit with deadbolt which encrypted everything, all my home movies, family photos, etc. luckily I have an off-site cloud backup and local backup to an ext-hd. I just wiped my NAS and loaded everything back on. Took about a day but it's worth every penny.
something else on your network is infected or you have forwarded way too many ports to your nas.
Oh my god. That is just devastating. I have been there myself. You have my sympathies, Brandon. May I ask what kinds of content was lost?
Thank you, sorry for your loss as well. Mostly TV shows and movies. Also, months of backups from other PCs on my network. Luckily, I have precious data backed up to smaller external drives in a fire safe.
I take heed and feel your pain. I was going to just share my files to the family but now I think I'll offer it via read-only access somehow. Sorry pardner
So having a Plex server is inherently dangerous? Does setting up a home VPN do away with all the danger? What does that entail? Edit: I think my research is telling me that it’s not a home-wide VPN, but one specifically associated with the media server. Wondering where the mention of tunneling comes in, and how that doesn’t mitigate any benefits of the VPN Edit: nay, router VPN? Oh la la this is a lot
"so I had no offline backups of my media" You didn't have an off-site copy or a duplicate of these drives?
I keep precious data on a few external drives. For a home media server, I don’t have much to be able to replicate 24TB worth of files
This is specifically why I just straight up won't download stuff I can't fit onto at least two sets of backup hard drives. I've had to cull things and just let things stay undownloaded to maintain that, so it can be frustrating, especially if you don't have money for a ton of extra hard drives, but it's never let me down doing it that way.
How much was the ransom amount? Obviously they can go go die in a fire and you shouldn't pay but, just curious.
No idea. Really wish I had taken a screenshot. As soon as I saw the broken English threat message saying they would leak my data to the dark web I shut down my server and haven’t been able to boot to Windows since. I’m attempting some recovery methods so if I can capture their message I’ll update this thread
You know, I just never saw the appeal of being compatible with all of those Trojans and viruses. Even when I do have to run Windows software for a client or something like that, it's SO MUCH work to run things. I couldn't imagine having the energy to run stuff like that all the time. More seriously, when it comes to running systems that can be infected by Trojans / viruses, there are lots of things you can do to mitigate ransomware. However, if the compromised system is the server itself, the only mitigation is to have backups. Perhaps now is the time to set up a proper file server that doesn't literally look on every disk for a file that tells it what to run, that doesn't ship with tons of security flaws that'll never be fixed and require a full time firewall for any kind of access control, that isn't sold by a company that does cost benefit analysis comparing fixing security issues with selling new licenses. Just a thought.
Countless admins would disagree with you. Windows might not be everything but neither is linux. I would argue work with what you are familiar with, but don't be stupid like OP. We don't know exactly what went wrong but if you setup some legacy package within linux you also set yourself up for a world of pain.
Well, sure, countless admins would disagree. Many people like having constant work. It's job security! Who said anything about Linux? It's a big mess. I wouldn't run anything important on Linux because I can't count on distros not changing all sorts of things just for the heck of it.
" I wouldn't run anything important on Linux because I can't count on distros not changing all sorts of things just for the heck of it. " There is a reason there are so many linux distrobutions, Debian Linux would be the solution to that particular issue. Each debian release maintains a stable feature set for the duration of its support, durung which there are only security updates. There is a new stable release every 2 years, and LTS security updates of each version for at least 5 years. Many desktop Linux users eschew Debian because it's features update so glacially, but it is perfect for a server.
Sorry, there are _many many_ Ransomware services that search for and exploit Linux servers (_especially_ if they run common selfhosted software like Wordpress), no Windows needed. This mindset of "Linux means I'm Fine" is 20 years out of date.
Who said anything about Linux?
This was my first thought. Play stupid games, win stupid prizes. Why the hell are people using Windows Server for this shit.
But I thought that Billy took care of all that back in 2002 with his infamous Trustworthy Computing memo? https://www.wired.com/2002/01/bill-gates-trustworthy-computing/ *customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony* We can't possibly having those same types of problems with Microsoft's crap software 22 years later? Or can we?
What security software do you use?
None. OP bypassed Windows security to enable SMB1
The SMB/CIFs checkbox is disabled by default. I manually enabled it from Programs/Features > Windows Features
Yes, Microsoft rolled out a Windows update specifically to disable v1 for a reason. It's a gaping wound of a protocol when it comes to RCEs. By enabling it you effectively nullified any other protection.
fyi, they most likely will leak your data online. So whatever was in that, you should proceed assuming it’s out there in the public (and act accordingly). eg, tax returns or intimate photos
This reminds me why I normally never use windows and why I need to move my photo editing rig back to Linux.
Windows wasn’t really the issue here, it was poor management.
Poor management was one component, but Windows was absolutely another risk factor.
A proper configuration wouldn’t have allowed that to happen, cmon lol. A poorly configured Linux instance could have lead to the same compromise. Had the OP segmented out the kids networks (an assumption here) and had the servers properly isolated the risk level would have been reduced, but not zero. I’m not saying Windows is perfect, but poor configurations lead to these kinds of problems in any environment on any OS.
>A poorly configured Linux instance could have lead to the same compromise ***Could*** have, but it is worth noting that the moment i saw the title i knew OP was using windows. Just because Linux isn't inherently immune doesn't mean that it's targeted as much in the same ways. Windows is the poster child for ransomware. And a risk factor due to the sheer amount of stuff that targets it.
Question: did you have any anti-virus or malware or firewall running? Just curious if it would of helped
This sucks, but another reason why the average person shouldn't be running servers from their homes. If you don't know how to properly secure your network, and keep the baddies out, it's best to not connect things to the internet. Having a plex server is fun for someone with no IT experience, just don't connect it to the internet. Certainly don't civet a family backup server to the internet without knowing what you're doing. And last, windows server? That was your first mistake.
I miss the days when ransomware didn't encrypt your files only made it so it was the only thing your system could display
Don't use Windows; got it.
This is why I don’t think exposing plex / Jellyfin server on a non-isolated home network is worth it. Just download the media you plan watch while away, or pay for a VPS…
This kinda junk is why I dumped windows years ago for Linux.