Some information about the virus encryptor Trojan.Encoder.12544 attacked 06/27/2017

06/27/2017 After lunch, I received a call from one organization and reported that many computers stopped working, but some worked, I understood that Windows auto-update was enabled and all updates were installed, including the critical vulnerability fix that the virus uses – Microsoft Security Bulletin MS17-010 – Critical

On some infected computers, there was the following window (infected MBR area):

On the other side, the disk was checked for errors via CHDISK, as it turned out to be the second stage of the virus – disk encryption using AES-128-CBC algorithms and in this case, an immediate shutdown is necessary to recover the remaining unencrypted data.
Through special utilities, you could see only a few unencrypted data that can be recovered, and the rest can only be returned from backup copies made by system administrators since the decryptor is not available at the moment.
Under the old version of the virus last year, the decryptor was written https://github.com/leo-stone/hack-petya

The mail that was specified for requesting the decryption key was blocked after some time after the virus appeared, even about 45 transactions were received on the wallet.

Installing and using Conky in Linux

Conky – system monitor.

The installation command in Ubuntu:

sudo apt-get install conky

In CentOS/Fedora:

sudo yum install conky

Start command:

conky

At the first start, I displayed this window:
conky

The configuration files are located in the /etc/conky/.

To read the built-in documentation, you can run the following command:

man conky

Example of launching in a background with an update interval of 2 sec.:

conky -d -u 2

To stop, you can use the command:

pkill conky

Configuring PIM on MikroTik

Here is an example of configuring PIM on two MikroTik routers:

Let us configure the first MikroTik.
Add a pim interface and check:

routing pim interface add
routing pim interface p

Add the IP address of RP (this MikroTik):

routing pim rp add address=IP-ADDRESS

Let’s specify from which IP multicast traffic is allowed:

routing pim interface set alternative-subnets=238.0.0.0/24,239.0.0.0/24

Let’s configure the second MikroTik.
Add a pim interface to the uplink WAN port, I have ether1:

routing pim interface add interface=ether1
routing pim interface p

Add the IP address of the RP (the first MikroTik):

routing pim rp add address=IP-АДРЕС

Let’s specify the route of the multicast source: (first MikroTik):

ip route add 239.0.0.0/24 via IP-АДРЕС

Done.

Using and configuring CRON

Cron — task scheduler in UNIX-like operating systems, used for periodic execution of tasks at a certain time.

The file is located at the /etc/crontab address, it adds the lines with the commands that need to be executed automatically, and the commands can be placed in a separate file in the /etc/cron.d/ directory, /etc/cron.daily/, /etc/cron.hourly/, /etc/cron.monthly/, /etc/cron.weekly/.

Example of an added line in cron:

* * * * * command

Startup time table:
– – – – –
| | | | |
| | | | —– Day of the week (0 – 7) (Sunday =0 или =7)
| | | ——- Month (1 – 12)
| | ——— Day (1 – 31)
| ———– Hour (0 – 23)
————- Minute (0 – 59)

I’ll give a few examples of the execution time of the commands:

* * * * *
Every minute

*/5 * * * * 
Every 5 minutes

*/30 * * * *
Every 30 minutes

0 * * * *
Every hour

30 * * * *
Every hour in 30 minutes

0 */2 * * *
Every 2 hours

30 */2 * * *
Every 2 hours in 30 minutes

59 23 31 12 5
One minute before the end of the year, if the last day of the year is Friday

59 23 31 Dec Fri
A minute before the end of the year, if the last day of the year is Friday (another version of the entry)

45 17 7 6 *
Every year on the 7th of June at 17:45

0,15,30,45 0,6,12,18 1,15,31 * 1-5
At 00:00, 00:15, 00:30, 00:45, 06:00, 06:15, 06:30, 06:45, 12:00, 12:15, 12:30, 12:45, 18:00, 18:15, 18:30, 18:45, if now the 1st, 15th or 31st day of any month and only on weekdays of the week

*/15 */6 1,15,31 * 1-5
В 00:00, 00:15, 00:30, 00:45, 06:00, 06:15, 06:30, 06:45, 12:00, 12:15, 12:30, 12:45, 18:00, 18:15, 18:30, 18:45, if now the 1st, 15th or 31st day of any month and only on the working days of the week (another version of the record)

0 12 * * 1-5 (0 12 * * Mon-Fri)
At noon on workdays

* * * 1,3,5,7,9,11 *
Every minute in January, March, May, July, September and November

1,2,3,5,20-25,30-35,59 23 31 12 *
On the last day of the year at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59

0 9 1-7 * 1
The first Monday of every month, at 9 am

0 0 1 * *
At midnight, the first day, every month

* 0-11 * *
Every minute before noon

30 9 1 * *
On the 1st of every month at 9:30

* * * 1,2,3 *
Every minute in January, February and March

* * * Jan,Feb,Mar *
Every minute in January, February and March

0 0 * * *
Every day at midnight

0 0 * * 3
Every Wednesday at midnight

To ensure that the result of the command does not come to the e-mail at the end of the command, you can add:
>/dev/null 2>&1

Here is an example of the line for adding the script /home/user/scrips.sh to Cron for autorun every day at midnight (the file must be executable):
0 0 * * * /home/user/script.sh >/dev/null 2>&1

See also:
Configuring Cron Jobs in cPanel and WHM

Installing and Using dhcpdump

dhcpdump – sniffer utility for analyzing DHCP packets.

I will give an example of the installation command in Ubuntu/Debian:

sudo apt-get install dhcpdump

Installation in CentOS:

yum install dhcpdump

Let’s see what network interfaces are in the system:

ifconfig

Example of running dhcpdump with the name of the network interface:

dhcpdump -i eth0

An example of intercepting DHCP packets with only the specified MAC address ending:

dhcpdump -i eth0 -h ^02:b0:eb

I’ll give an example of displaying the result not on the screen, but in a file:

dhcpdump -i eth0 > file.txt

Change port in SSH, HTTP, etc. checks. in Zabbix

Suppose that SSH is working on a non-standard port, in Zabbix, the “Template App SSH Service” template checks it on a standard port and will therefore send out the message “SSH service is down on …”.

To specify which port to check for SSH, we will make a complete cloning of the “Template App SSH Service” template so that it does not change it and in the new cloned template we already change the key in the data element:

net.tcp.service[ssh]

to (where 500 is the SSH port number):

net.tcp.service[ssh,,500]

And we’ll specify this new template instead of the standard one, then SSH will be scanned at the specified port.
Templates are configured in the “Settings” -> “Templates” -> “Templates” group.

Similarly, the port for other services changes.

From the command line, you can check it with the following commands:

zabbix_get -s127.0.0.1 -k'net.tcp.service[ssh]'
zabbix_get -s127.0.0.1 -k'net.tcp.service[ssh,,500]'

If Zabbix-agent is installed on the node, then in the field the key is better to specify:

proc.num[sshd]