Another ransomware called “Petya” is attack and spreading afterWannaCry attack. But this “Petya” looks like the program’s creators had no intention of restoring the machines at all. In fact, a new analysis reveals they couldn’t; the virus was designed to wipe computers outright.
How to know your PC is affected?
You will see screen like this. Which mean that your PC is affected. When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. If victims don’t have a recent back-up of the files they must either pay the ransom or face losing all of their files.
How to stop it
The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine.
If you see this screen, you should direct off the PC ASAP.
Power ON the PC and go to the CMD and do as below. It to create perfc 、perfc.dll、perfc.dat on C:\Window
copy con perfc (Enter)
(Ctrl + Z )
copy perfc perfc.dll (Enter)
copy perfc perfc.dat (Enter)
This is temporary solution so far. Please ALWAYS us the STRONG password for ADMINISTRATOR password.
Maldet, an malware detector for linux server. It was a powerful tool if compare with the online tool that available.
Installation step as below
(1) go to the path
(2) Download the source
(3) untar the installation file
tar zxvf maldetect-current.tar.gz
(4) go to the meldet folder
(5) Install it
To add IP address in to deny list
csf -d IP
To add IP address in to allow list
csf -a IP
How to restart csf firewall
How to stop csf firewall
Path of CSF configuration file on cPanel server
Path of denied IP addresses file in CSF
Path of allowed IP address file in CSF
How to add IP address in to ignorelist
(1) login to shell
(2) add IP address in to /etc/csf/csf.ignore
How to find IP address blocked in temporary ban
grep IP /etc/csf/csf.tempban
When your server have symptom as below
a) a lots of log as below
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
b) IIS unable to start and receive the error result when list the applicaiton pool list
c) intermittent interuption to the IIS service
Your server might under RDP Brute force attack.
Because of RDP Brute force, the memory type known as “kernel unpaged pool” will be almost entirely full. There is a maximum of 256MB on a 32bit Windows installation. This will to continue to cause IIS and other network services to work intermittently and finally stop entirely.
So the solution is edit the RDP port other then the default 3389 so the attacker will not easily know your server port. Golden rules in IT security: DO NOT even use default port for all the service.
1) Start Registry Editor (Start > Run > type “regedit” > press Enter)
2) Locate and then click the following registry subkey:
3) On the Edit menu, click Modify, and then click Decimal.
4) Type the new port number, and then click OK.
5) Quit Registry Editor.
6) Restart the server.