Prevent Petya/Petwrap/NotPetya Ransomware Attack

This week, new ransomware called Petrwrap (NotPetya) attacked Windows PC across the globe today. It locks hard drive MFT and MBR sections and preventing computers from booting. Unless victims opted to pay hacker $300 by BitCoin (which is not recommended), there was no way to recover their systems.

Unfortunately Amit Serper (a security expert) has found a way to prevent the Petya(NotPetya/SortaPetya/Petna) ransomware from infecting computers. The solution is create C:\Windows\perfc file and make it read only. This batch file can help you for quickly: https://github.com/vnheros/utilscripts/blob/master/nopetyavac.bat. It also creates perfc.dat and perfc.dll for more secure. Let run it with Administrator right:

Here are emails which are used to send infected attached files (don't open email when receiving from theses emails):

• wowsmith123456@posteo.net
• iva76y3pr@outlook.com
• carmellar4hegp@outlook.com
• amanda44i8sq@outlook.com

Another required actions are:

• Let update your Windows, especially patches for MS17-010, CVE 2017-0199.
• Disable SMB port: 445/137/138/139
• Remove WMIC (Windows Management Instrumentation Command-line) tool

Hope you are safe after this attack storm!

Install Microsoft Security Essentials In Windows Server 2008 to 2012 R2

Microsoft Security Essentials (MSE) is free tool to help guard your Windows computer against viruses and other malware. In previous years, MSE is not in the list of top security guys for Windows, but now Microsoft is investing a lot on security problem and it is running to the top. So it is worth to have MSE on your Windows server to protect your server. MSE also rather doesn't take many resource vs. the other antivirus program, so it doesn't impact much on server performance.

But unfortunately it runs only on Windows desktop. It cannot run on Windows server by default. However, you can make it serves you by the following steps:

1. Go to this link: https://support.microsoft.com/en-us/help/14210/security-essentials-download then choose right version for your server (32 bit or 64 bit) and download mseinstall.exe

2. Use Administrator user, right click on mseinstall.exe then choose Properties menu

3. Select Compatibility tab, then choose Run this program in compatibility mode for Windows 7. Then click OK.

4. Use command prompt, change folder to the folder containing mseinstall.exe then run below command:
mseinstall.exe /disableoslimit

5. Follow next steps and enjoy MSE installed on your Windows server.

You can download a test EICARs file on the link: https://www.eicar.org/86-0-Intended-use.html for checking if MSE is working.

Note for updating MSE:
When running Windows Update, you may see new update for MSE but the installation will be failed.
After Windows Update tried & failed, open the folder: C:\Windows\SoftwareDistribution\Download\Install, then you may see UpdateInstall.exe file, let do step 3 & 4 above for this file, then you can install new update.

Good bye and good luck!
Any comment is welcome.

Windows Server: prevent anonymous login and ban IP of attacker

On Windows Server 2008 R2 / Windows Server 2012 you can disable anonymous login by using Local Group Policy Editor. To open the Local Group Policy Editor: click Start button, key gpedit.msc in the Start Search box, and then press ENTER.

Under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions, there are 6 policies to control what information can be accessed anonymously:
1. Network access: Allow anonymous SID/Name translation
2. Network access: Do not allow anonymous enumeration of SAM accounts
3. Network access: Do not allow anonymous enumeration of SAM accounts and shares
4. Network access: Let Everyone permissions apply to anonymous users
5. Network access: Named Pipes that can be accessed anonymously
6. Network access: Shares that can be accessed anonymously

Just disable policy 1 and 4, enable policy 2 and 3, and clear empty for policy 5 and 6.

Disabling anonymous login is not enough for preventing attempts to attack your Windows Server, you should buying & install an application like Symantec Endpoint Protection to protect your server with advance functions.

However if your server just run SQL server and you use Remote Desktop to remote the server, you can do a security layer by your self. The first thing is you should change the default service port of Remote Desktop and SQL server. The second thing is you should use IPBan written by Jeffrey N. Johnson, it is a free tool tracking any IP that invokes services on your server and when number of fail events reaches to a predefined threshold, it will block the IP in the Windows Advanced Firewall by using a Blocking rule there.

If you like coding, you can download the code of IPBan from here. If not, you can download its binary from here (required .NET Framework 4). Below are main configurations for making it up & run:
1. Config Remote Desktop Session Host Configuration to log IP address in event log. To run it: click Start button, key Remote Desktop Session Host Configuration in the Start Search box, and then press ENTER. Double click the connection RDP-Tcp to change encryption settings to native RDP encryption. See the picture below for howto. After finishing, please reboot your server.

2. Copy IPBan binary to a folder, e.g. D:\IPBan. Then open and modify IPBan.exe.config file. Below are some rules that you should learn:
       2.1 Group rules, for example:
<Group>
<Keywords>0x90000000000000</Keywords>
...
<XPath>//Provider[@Name='MSSQLSERVER']</XPath>
...
</Group>
This group is used for tracking Application events for logging on to MS SQL server which having keyword 0x90000000000000, see the following captured image in Application events for more detail:

In this case, Provider is MSSQL$SGSQL2012, so we'll change MSSQLSERVER to MSSQL$SGSQL2012.

     2.2 Rule for attempts before banning
<add key="FailedLoginAttemptsBeforeBan" value="5" />

     2.2 Ban time rule (DD:HH:MM:SS)
<add key="BanTime" value="00:00:30:00" />

     2.2 Log file rotation rule
<target name="logfile" xsi:type="File" fileName="${basedir}\logfile.txt" archiveNumbering="Sequence" archiveEvery="Day" maxArchiveFiles="28" />

3. Create IPBan service and start it
#sc create IPBan type= own start= auto binPath= D:\IPBan\ipban.exe DisplayName= IPBan
#net start IPBan

That's all. Now you can monitor your server under your way.
Any comment is welcome!

Joomla: plugin for enhancing security rule on login and password

If you are using Joomla, you may want to protect your administrator area from eyes of bad guys, and you may also want to lock an user after some times of failed login. This help your users and website more secure under attacks of hackers in order to stolen your users' information or serve their ploys.

You can read this my article for hiding your Joomla back-end or use my plugin called V4 Security (support Joomla 3.x, 2.x). You can download it here. Below are its features and illustrate images.

1. Backend Protection

If you key Login Token here (e.g. hung123, you must access your back-end via a URL like: your_site/administrator/?hung123).
You also can set a Redirect URL if someones go to the URL your_site/administrator (without token). I think you should set an URL of a 404 page here.

2. Login Attempts

If you enable this function and specify Max attempts number here (e.g. 3), any user will be locked after 3 times of failed login.

3. Password Complexity

In this function, you will config for the password rule in your web site. You can select to apply on Frontend, Backend or both. This function may be useful if you use Joomla to build a social network or an intranet for your company.

Hope this plugin can help you have well sleep when running Joomla -:)

Do you have any things else? Any comment is welcome.

Solving Heartbleed Bug

Earlier this week, security researchers announced a vulnerability (known as “Heartbleed Bug”) in OpenSSL, a widely-used opensource cryptographic software library. It can allow attackers to read the memory of the systems using vulnerable versions of OpenSSL library (1.0.1 through 1.0.1f). This may disclose the secret keys of vulnerable servers, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, which could include usernames and passwords of users or other data stored in server memory.

To be clear, this is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS, nor certificates issued by Symantec or GeoTrust.

Here are steps to fix this bug:

1. Identify if your web servers are vulnerable (running OpenSSL versions 1.0.1 through 1.0.1f with heartbeat extension enabled). If you’re running a version of OpenSSL prior to 1.0.1, no further action is required.
2. If your server is impacted, update to the latest patched version of OpenSSL (1.0.1g).
3. Generate a new Certificate Signing Request (CSR).
4. Reissue any SSL certificates for affected web servers using the new CSR (do this after moving to a patched version of OpenSSL).
5. Install the new SSL certificate.
6. Website administrators should also consider resetting end-user passwords that may have been visible in a compromised server memory.

Hope you will save in this storm.

Joomla: hide backend with secret key to enhance security

If your website uses Joomla, it is easy to try login your back-end at the address: <your_website>/administrator/

Bad guys can attack your back-end with some technique, e.g. Dictionary attack.

There are many solutions to protect your back-end. Here, I suggest a way with small change in the file: administrator/index.php. Let add the following code after require_once lines:


$session =& JFactory::getSession();
$passport = $session->get('passport');
if(!$passport || $passport != "passed")
{
$goent = JRequest::getVar('your_secret_var','','get','text');
if(!$goent || $goent != "your_secret_value")
{
// Redirect to homepage
header('Location:  ../index.php');
}
else
{
$session->set('passport', 'passed');
}
}

After adding this code, you must login at: <your_website>/administrator/index.php?your_secret_var=your_secret_value

Any attempt to access <your_website>/administrator/ will redirect to your home page.

Best wishes.