Long terrible horror story cut short: A hobby site of mine, based on drupal was exploited by an RFI that deployed a rootkit, when then owned all my boxes connected to that host (thanks to password-less and convenient ssh certs used for rsync jobs to backup my site to my desktop, then to my NAS and (thankfully) CrashPlan). It eventually encrypted everything on all systems that were not actual system files, and left me a ransom note.
td;dr : Ransomware victim has all files in zfs pool encrypted.
When I look at my snapshots, I see several, so I am optimistic. I rollback without error, but the encrypted files are still on the file system. I delete files, rollback, and they don't re-appear.
I wonder what I am missing, or if the entire FreeNAS system is also owned. I must believe it is, and therefore I know I need to burn it to the ground and start over, but I would really like to retrieve some data first....
Here are my available snapshots:
[root@nas] /mnt# zfs list -t snapshot
NAME USED AVAIL REFER MOUNTPOINT
Titan@auto-20160408.1700-2w 160K - 599K -
Titan@auto-20160412.1700-2w 0 - 599K -
Titan@auto-20160412.1800-2w 0 - 599K -
Titan@auto-20160413.0900-2w 0 - 599K -
Titan@auto-20160413.1000-2w 0 - 599K -
Titan@auto-20160413.1100-2w 0 - 599K -
Titan@auto-20160413.1200-2w 0 - 599K -
Titan@auto-20160413.1300-2w 0 - 599K -
Titan@auto-20160413.1400-2w 0 - 599K -
Titan@auto-20160413.1500-2w 0 - 599K -
Titan@auto-20160413.1600-2w 0 - 599K -
Titan@auto-20160413.1700-2w 0 - 599K -
Titan@auto-20160413.1800-2w 0 - 599K -
Titan@auto-20160414.0900-2w 0 - 599K -
Titan@auto-20160414.1000-2w 0 - 599K -
Titan@auto-20160414.1100-2w 0 - 599K -
Titan@auto-20160414.1200-2w 0 - 599K -
Titan@auto-20160414.1300-2w 0 - 599K -
Titan@auto-20160414.1400-2w 0 - 599K -
Titan@auto-20160414.1500-2w 0 - 599K -
Titan@auto-20160414.1600-2w 0 - 599K -
Titan@auto-20160414.1700-2w 0 - 599K -
Titan@auto-20160414.1800-2w 0 - 599K -
Titan@auto-20160415.0900-2w 0 - 599K -
Titan@auto-20160415.1000-2w 0 - 599K -
Titan@auto-20160415.1100-2w 0 - 599K -
Titan@auto-20160415.1200-2w 0 - 599K -
Titan@auto-20160415.1300-2w 0 - 599K -
Titan@auto-20160415.1400-2w 0 - 599K -
Titan@auto-20160415.1500-2w 0 - 599K -
Titan@auto-20160415.1600-2w 0 - 599K -
Titan@auto-20160415.1700-2w 0 - 599K -
Titan@auto-20160415.1800-2w 0 - 599K -
Titan@auto-20160416.0900-2w 0 - 599K -
Titan@auto-20160416.1000-2w 0 - 599K -
Titan@auto-20160416.1100-2w 0 - 599K -
Titan@auto-20160416.1200-2w 0 - 599K -
Titan@auto-20160416.1300-2w 0 - 599K -
Titan@auto-20160416.1400-2w 0 - 599K -
Titan@auto-20160416.1500-2w 0 - 599K -
Titan@auto-20160416.1600-2w 0 - 599K -
Titan@auto-20160416.1700-2w 0 - 599K -
Titan@auto-20160416.1800-2w 0 - 599K -
Titan@auto-20160417.0900-2w 0 - 599K -
Titan@auto-20160417.1000-2w 0 - 599K -
Titan@auto-20160417.1100-2w 0 - 599K -
Titan@auto-20160417.1200-2w 0 - 599K -
Titan@auto-20160417.1300-2w 0 - 599K -
Titan@auto-20160417.1400-2w 0 - 599K -
Titan@auto-20160417.1500-2w 0 - 599K -
Titan@auto-20160417.1600-2w 0 - 599K -
Titan@auto-20160417.1700-2w 0 - 599K -
Titan@auto-20160417.1800-2w 0 - 599K -
Titan@auto-20160418.0900-2w 0 - 599K -
Titan@auto-20160418.1000-2w 0 - 599K -
Titan@auto-20160418.1100-2w 0 - 599K -
Titan@auto-20160418.1200-2w 0 - 599K -
Titan@auto-20160418.1300-2w 0 - 599K -
Titan@auto-20160418.1400-2w 0 - 599K -
Titan@auto-20160418.1500-2w 0 - 599K -
Titan@auto-20160418.1600-2w 0 - 599K -
Titan@auto-20160418.1700-2w 0 - 599K -
Titan@auto-20160418.1800-2w 0 - 599K -
Titan@auto-20160419.0900-2w 0 - 599K -
Titan@auto-20160419.1000-2w 0 - 599K -
Titan@auto-20160419.1100-2w 0 - 599K -
Titan@auto-20160419.1200-2w 0 - 599K -
Titan@auto-20160419.1300-2w 0 - 599K -
Titan@auto-20160419.1400-2w 0 - 599K -
Titan@auto-20160419.1500-2w 0 - 599K -
Titan@auto-20160419.1600-2w 0 - 599K -
Titan@auto-20160419.1700-2w 0 - 599K -
Titan@auto-20160419.1800-2w 0 - 599K -
Titan/jails/.warden-template-pluginjail@clean 224K - 894M -
So I restore one:
[root@nas] /mnt# zfs rollback -r Titan@auto-20160419.1800-2w
[root@nas]
Now I check the results:
[root@nas] /mnt# ls -l /mnt/Titan/AudioBooks/
-rw-r--r-- 1 root wheel 8535 Apr 21 16:51 AlbumArtSmall.jpg.gpg
-rw-r--r-- 1 root wheel 37340 Apr 21 16:52 Folder.jpg.gpg
-rw-r--r-- 1 root wheel 27827854 Apr 21 16:53 Louie CK Unmasked 2008-07-12 CF64k.mp3.gpg
-rw-r--r-- 1 root wheel 562 Apr 21 16:51 README_FOR_UNLOCK.txt
Exact same as before. Those encrypted files are also owned by root. They weren't before.
Am I out of luck here?
Many thanks!!
td;dr : Ransomware victim has all files in zfs pool encrypted.
When I look at my snapshots, I see several, so I am optimistic. I rollback without error, but the encrypted files are still on the file system. I delete files, rollback, and they don't re-appear.
I wonder what I am missing, or if the entire FreeNAS system is also owned. I must believe it is, and therefore I know I need to burn it to the ground and start over, but I would really like to retrieve some data first....
Here are my available snapshots:
[root@nas] /mnt# zfs list -t snapshot
NAME USED AVAIL REFER MOUNTPOINT
Titan@auto-20160408.1700-2w 160K - 599K -
Titan@auto-20160412.1700-2w 0 - 599K -
Titan@auto-20160412.1800-2w 0 - 599K -
Titan@auto-20160413.0900-2w 0 - 599K -
Titan@auto-20160413.1000-2w 0 - 599K -
Titan@auto-20160413.1100-2w 0 - 599K -
Titan@auto-20160413.1200-2w 0 - 599K -
Titan@auto-20160413.1300-2w 0 - 599K -
Titan@auto-20160413.1400-2w 0 - 599K -
Titan@auto-20160413.1500-2w 0 - 599K -
Titan@auto-20160413.1600-2w 0 - 599K -
Titan@auto-20160413.1700-2w 0 - 599K -
Titan@auto-20160413.1800-2w 0 - 599K -
Titan@auto-20160414.0900-2w 0 - 599K -
Titan@auto-20160414.1000-2w 0 - 599K -
Titan@auto-20160414.1100-2w 0 - 599K -
Titan@auto-20160414.1200-2w 0 - 599K -
Titan@auto-20160414.1300-2w 0 - 599K -
Titan@auto-20160414.1400-2w 0 - 599K -
Titan@auto-20160414.1500-2w 0 - 599K -
Titan@auto-20160414.1600-2w 0 - 599K -
Titan@auto-20160414.1700-2w 0 - 599K -
Titan@auto-20160414.1800-2w 0 - 599K -
Titan@auto-20160415.0900-2w 0 - 599K -
Titan@auto-20160415.1000-2w 0 - 599K -
Titan@auto-20160415.1100-2w 0 - 599K -
Titan@auto-20160415.1200-2w 0 - 599K -
Titan@auto-20160415.1300-2w 0 - 599K -
Titan@auto-20160415.1400-2w 0 - 599K -
Titan@auto-20160415.1500-2w 0 - 599K -
Titan@auto-20160415.1600-2w 0 - 599K -
Titan@auto-20160415.1700-2w 0 - 599K -
Titan@auto-20160415.1800-2w 0 - 599K -
Titan@auto-20160416.0900-2w 0 - 599K -
Titan@auto-20160416.1000-2w 0 - 599K -
Titan@auto-20160416.1100-2w 0 - 599K -
Titan@auto-20160416.1200-2w 0 - 599K -
Titan@auto-20160416.1300-2w 0 - 599K -
Titan@auto-20160416.1400-2w 0 - 599K -
Titan@auto-20160416.1500-2w 0 - 599K -
Titan@auto-20160416.1600-2w 0 - 599K -
Titan@auto-20160416.1700-2w 0 - 599K -
Titan@auto-20160416.1800-2w 0 - 599K -
Titan@auto-20160417.0900-2w 0 - 599K -
Titan@auto-20160417.1000-2w 0 - 599K -
Titan@auto-20160417.1100-2w 0 - 599K -
Titan@auto-20160417.1200-2w 0 - 599K -
Titan@auto-20160417.1300-2w 0 - 599K -
Titan@auto-20160417.1400-2w 0 - 599K -
Titan@auto-20160417.1500-2w 0 - 599K -
Titan@auto-20160417.1600-2w 0 - 599K -
Titan@auto-20160417.1700-2w 0 - 599K -
Titan@auto-20160417.1800-2w 0 - 599K -
Titan@auto-20160418.0900-2w 0 - 599K -
Titan@auto-20160418.1000-2w 0 - 599K -
Titan@auto-20160418.1100-2w 0 - 599K -
Titan@auto-20160418.1200-2w 0 - 599K -
Titan@auto-20160418.1300-2w 0 - 599K -
Titan@auto-20160418.1400-2w 0 - 599K -
Titan@auto-20160418.1500-2w 0 - 599K -
Titan@auto-20160418.1600-2w 0 - 599K -
Titan@auto-20160418.1700-2w 0 - 599K -
Titan@auto-20160418.1800-2w 0 - 599K -
Titan@auto-20160419.0900-2w 0 - 599K -
Titan@auto-20160419.1000-2w 0 - 599K -
Titan@auto-20160419.1100-2w 0 - 599K -
Titan@auto-20160419.1200-2w 0 - 599K -
Titan@auto-20160419.1300-2w 0 - 599K -
Titan@auto-20160419.1400-2w 0 - 599K -
Titan@auto-20160419.1500-2w 0 - 599K -
Titan@auto-20160419.1600-2w 0 - 599K -
Titan@auto-20160419.1700-2w 0 - 599K -
Titan@auto-20160419.1800-2w 0 - 599K -
Titan/jails/.warden-template-pluginjail@clean 224K - 894M -
So I restore one:
[root@nas] /mnt# zfs rollback -r Titan@auto-20160419.1800-2w
[root@nas]
Now I check the results:
[root@nas] /mnt# ls -l /mnt/Titan/AudioBooks/
-rw-r--r-- 1 root wheel 8535 Apr 21 16:51 AlbumArtSmall.jpg.gpg
-rw-r--r-- 1 root wheel 37340 Apr 21 16:52 Folder.jpg.gpg
-rw-r--r-- 1 root wheel 27827854 Apr 21 16:53 Louie CK Unmasked 2008-07-12 CF64k.mp3.gpg
-rw-r--r-- 1 root wheel 562 Apr 21 16:51 README_FOR_UNLOCK.txt
Exact same as before. Those encrypted files are also owned by root. They weren't before.
Am I out of luck here?
Many thanks!!