‘Petya’ ransomware: How to Stop it ??

Another ransomware called “Petya” is attack and spreading afterWannaCry attack. But this “Petya” looks like the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.

How to know your PC is affected? 

You will see screen like this. Which mean that your PC is affected. When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims don’t have a recent back-up of the files they must either pay the ransom or face losing all of their files.

How to stop it

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine.

If you see this screen, you should direct off the PC ASAP.

Power ON the PC and go to the CMD and do as below. It to create perfc 、perfc.dll、perfc.dat on C:\Window

cd.. (Enter)

copy con perfc (Enter)

(Ctrl + Z )

(Enter)

copy perfc perfc.dll (Enter)
copy perfc perfc.dat (Enter)

This is temporary solution so far. Please ALWAYS us the STRONG password for ADMINISTRATOR password.

Tools for scan Malware – maldet (Simple Installation)

malwarelogo

Maldet, an malware detector for linux server. It was a powerful tool if compare with the online tool that available.

Installation step as below

(1) go to the path

cd /usr/local/src/

(2) Download the source

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

(3) untar the installation file

tar zxvf maldetect-current.tar.gz

(4) go to the meldet folder

cd maldetect-*

(5) Install it

sh install.sh

 

 

All about CSF (ConfigServer Security & Firewall)

csf

To add IP address in to deny list

csf -d IP

To add IP address in to allow list

csf -a IP

How to restart csf firewall

csf -r

How to stop csf firewall

csf -x

Path of CSF configuration file on cPanel server

/etc/csf/csf.conf

Path of denied IP addresses file in CSF

/etc/csf/csf.deny

Path of allowed IP address file in CSF

/etc/csf/csf.allow

How to add IP address in to ignorelist

(1) login to shell

(2) add IP address in to /etc/csf/csf.ignore

How to find IP address blocked in temporary ban

grep IP /etc/csf/csf.tempban

 

How to edit Window server RDP port and why need so

When your server have symptom as below

a) a lots of log as below

Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

b) IIS unable to start and receive the error result when list the applicaiton pool list

c) intermittent interuption to the IIS service

Your server might under RDP Brute force attack.

Because of RDP Brute force, the memory type known as “kernel unpaged pool” will be almost entirely full. There is a maximum of 256MB on a 32bit Windows installation. This will to continue to cause IIS and other network services to work intermittently and finally stop entirely.

So the solution is edit the RDP port other then the default 3389 so the attacker will not easily know your server port. Golden rules in IT security: DO NOT even use default port for all the service.

1) Start Registry Editor (Start > Run > type “regedit” > press Enter)
2) Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
3) On the Edit menu, click Modify, and then click Decimal.
4) Type the new port number, and then click OK.
5) Quit Registry Editor.
6) Restart the server.