Topic: Wannacry/Wannacrypt SMB flaw - checking SME 9.x not vulnerable, please confirm

[Daniel B.]

The SMB exploit is just one way to propagate the ransomware. A malicious email is another possible one. And if a workstation behind SME is infected, it can then infect the other workstations through the SMB exploit, without SME being able to do anything. So no, SME itself is not vulnerable, but it doesn't protect you 100% (because 100% protection is not possible)

[brianr]

The SMB exploit is just one way to propagate the ransomware. A malicious email is another possible one. And if a workstation behind SME is infected, it can then infect the other workstations through the SMB exploit, without SME being able to do anything. So no, SME itself is not vulnerable, but it doesn't protect you 100% (because 100% protection is not possible)

That is true in general for ransomware and other assorted nasties, but from what that article indicated, this one only used the SMB exploit.

[p-jones]

SME itself is not vulnerable, but it doesn't protect you 100% (because 100% protection is not possible)

I can vouch that it is NOT 100% protected.

I have just done a big cleanup/recovery from an attack. Whilst the integrity of the core SME 9.2 remained intact, several ibays were totally trashed to the point of being 100% un-useable and un-recoverable.
(and for good measure, there seems to be a bug in the 'restore selective files from workstation' which prevented it from being useful - another topic which I will create a bug report for.)

[ReetP]

I can vouch that it is NOT 100% protected.

Be very careful exactly what you say so as not to mislead users. You are wrong.

As you note, SME *itself* won't get attacked by this and is not vulnerable as mentioned. As you discovered, SME core was fine, and fortunately that enabled you to sort out the mess left behind by your users and their infected desktops (hint drop Microsoft desktops for a happier sysadmin experience!)

I have just done a big cleanup/recovery from an attack. Whilst the integrity of the core SME 9.2 remained intact, several ibays were totally trashed to the point of being 100% un-useable and un-recoverable.
(and for good measure, there seems to be a bug in the 'restore selective files from workstation' which prevented it from being useful - another topic which I will create a bug report for.)

Any files appear stored on SME appear as normal network files and can therefore be subject to being encrypted by an infected client, as you found out.

That isn't SMEs fault....

[p-jones]

Be very careful exactly what you say so as not to mislead users. You are wrong.

I dont believe anything I have said is WRONG. To suggest, directly or by implication, particularly to newbies, that installing ANY flavoured linux server will leave them 'safe' because linux is immune is in itself misleading.

As a general concept, the average user doesnt give a toss about the server-core, they care about the user data. The server-core is also easy to sort, the user data is usually irreplaceable. Collateral damage

As you discovered, SME core was fine

That did not negate the necessity to have to do a full  re-install and restore to recover, mainly because a selective file restore would not play nice.

mess left behind by your users and their infected desktops

One can give users good tools but it is not easy to control what they do with them after.

(hint drop Microsoft desktops for a happier sysadmin experience!)

I / We all wish !!

Backups in my situation are done to a NAS4FREE box. Miscellaneous files on that also got trashed BUT because the backup was written by Linux, with Linux permissions not MS permissions,  seemed to be a saving grace, leaving the backup integrity 100% good.

That isn't SMEs fault....

I am not  blaming SME, I am just telling my experience how it is, namely running SME or Linux server does not leave one 100% safe from grief & this piece of malware, direct or indirect. (FACT)

Gotta say, computing was a whole lot easier and safer before we ll had internet and email on every desktop !!!

[guest22]

another topic which I will create a bug report for.)

Please open a bug per topic, but please do so.

[p-jones]

bug 10356

[guest22]

As a heads-up, it seems that currently (June 27, 2017) there is another 'attack' under way

[ReetP]

You said (and note the name of the thread):

I can vouch that it is NOT 100% protected.

Yup, nothing is 100% protected, but in THIS instance it is about making the distinction between the server itself and any user data.

With this particular infection the server itself will be OK, even if user data isn't.

As a general concept, the average user doesnt give a toss about the server-core, they care about the user data. The server-core is also easy to sort, the user data is usually irreplaceable.

Indeed, users don't, but they are hardly likely to be frequenting this forum. So the advice for sysadmins (and there are a lot of inexperienced ones here) should be that Wannacry/pt may totally trash your users data, but it will not affect your core server components. Restoration of user data from backup may be required.

Collateral damage
That did not negate the necessity to have to do a full  re-install and restore to recover, mainly because a selective file restore would not play nice.
One can give users good tools but it is not easy to control what they do with them after.

Nope. But that isn't the fault of the server. It is just doing what it was asked to do.

As an addendum it also demonstrates the value of having a backup that can be physically disconnected from the server and removed, just for good measure.

I / We all wish !!

Easy....

I am not  blaming SME, I am just telling my experience how it is, namely running SME or Linux server does not leave one 100% safe from grief & this piece of malware, direct or indirect. (FACT)

Does not leave ones DATA free from grief. And that is the point of this particular thread.

Gotta say, computing was a whole lot easier and safer before we ll had internet and email on every desktop !!!

Or before the scammers got involved and buggered it all up

B. Rgds
John

[guest22]

JFYI: Maersk Rotterdam went down, but now they are down globally...


http://www.maersk.com/en