The first variant discovered by Jakub is called PayDOS and is a batch file converted into a executable. When run, the executable will extract the batch file into the %Temp% folder and run it from there. Once executed, batch file will scan certain folders for certain file extensions and rename the file so that one letter of the extension is changed. For example, test.png may become test.dng. It does not actually encrypt the files.
Recently I had a chance to get my hands on this excellent Firewall by Checkpoint. And as you know not everything goes perfectly, and this is where you get a chance to learn how it works, while you fix.
I encountered an issue where one of the Threat Prevention Blades was stuck in updating mode for several hours. I had logged into the appliance via SSH to view to CPU utilization and observed nothing which would indicate an issue.
I started thinking about what events occurred which may have caused this. So I looked at the auto update schedule for the blades and noticed that all 3 blades where set to upgrade simultaneously.
I have observed that these updated can causes very high consumption of CPU and which that perhaps the blade with the issue became stuck in an upgrading status.
To address this situation, I issued the update command from the CLI :
- Log into the firewall via SSH
- Enter into expert mode by typing ‘expert’ in the CLI – You will be asked for your expert password. Once in export you will be in a standard Linux bash prompt.
- Run the following while in expert mode depending on which update you require:
- Anti-Virus Blade: [Expert@jermsmit.com]# online_update_cmd -b AV -o update
- IPS Blade: [Expert@jermsmit.com]# online_update_cmd -b IPS -o update
- Application Control Blade: [Expert@jermsmit.com]# online_update_cmd -b APPI -o update
Now return and refresh your webUI and you should notice that the blade(s) that were once stuck in the upgrading status are now showing up to date.
The following is a quick video of the setup of a Checkpoint 600 Security Appliance
Notes right from the admin guide: http://downloads.checkpoint.com/dc/download.htm?ID=24000
Check Point 600 Appliance Overview
Check Point 600 Appliance delivers integrated unified threat management to protect your organization from
today’s emerging threats. Based on proven Check Point security technologies such as Stateful Inspection,
Application Intelligence, and SMART (Security Management Architecture), Check Point 600 Appliance
provides simplified deployment while delivering uncompromising levels of security.
Check Point 600 Appliance supports the Check Point Software Blade architecture that gives independent
and modular security building blocks. Software Blades can be quickly enabled and configured into your
solution based on specific security needs.
This video takes place, right after the Check Point 600 was connected to WAN, LAN, and Powered Up.
In the past week I have had my good share of working on remote systems where I needed to utilize the tool PuTTY to issue commands; not all of them documented. To assist me in documenting my steps I often use the session logs. However this normal has been a manual process in the heat of the moment and sometimes enabling logging is an afterthought.
To guarantee that this is done I have preformed the following steps to the default configuration of my PuTTY client and all saved sessions so that logs are saved and dated for future reference. I wish to record those here for any of you who would like to do the same.
Under Category, choose Logging
Under Session Logging, choose the option “All session output”
Under file name: choose a directory and log filename
Using the PuTTY log parameters I configure my logs to consists of host, year, month, data and time for each session.
I also selected the option to “Always append to the end” of the session log which is currently open”
Finally, saving this new log settings to the Default Settings profile in putty making this the default logging option for all future connections and saved profiles.
Note: Profiles that existed before this change will need to be modified if you wish to also log the session output.
- &H = hostname for the session
- &Y = year
- &M = month
- &D = day
- &T = time
Short Video on how to do this
Yesterday I attended a joined seminar with Virtuit Systems & FBI Cyber Division.
Focal areas: Ransomeware and Zero-Day Attacks and How to fight against them
Opening with a one (1) hour discussion:
Philip Frim, Supervisory Special Agent with the FBI’s Newark Division.
- Development of FBI’s Cyber Division Program
- Computer Analysis and Response Team (CART)
- Security Threat: Ransomeware
- Educating the workforce on security
- Building relationships with FBI
FBI’s Cyber Division Program
Developed to address cyber-crime in a coordinated and cohesive manner with specially trained personal at the FBI headquarters with a total of 56 field offices.
Cyber-Task-Force travel around the world to assist in computer intrusion cases, gathering vital intelligence to identify dangers to national security and our economy.
Security Threat: Ransomeware
Examples of how catastrophic the loss of sensitive or proprietary information can and does disrupt regular operations and cause financial losses to organizations.
Reputation impacts to organizations due to Ransomeware and security breaches
The FBI doesn’t support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee an organization that it will get its data back
Paying a ransom not only emboldens current cyber criminals to target more organizations, it offers incentive for criminals to continue this illegal activity. Paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals such as human trafficking, and terrorism.
Prevention by the use of awareness training for employees, the addition of technical controls (NGFW, threat prevention), and development of business continuity plan covering Ransomeware attacks.
- Develop communication to make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Patch operating system, software, and firmware on digital devices regularly.
- Ensure antivirus and anti-malware solutions are set to automatically update and scan.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and is necessary.
- Configure access controls, including file, directory, and network share permissions.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations.
- Back up data regularly and verify the integrity of those backups.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
Building relationships with FBI
Focused on companies building relationships with their local FBI Cyber division field offices to establish a channel of communication, reporting structure and a Contact to reach out to in the case of a security incident.
Introduce and develop into corporate incident policy, areas covering liability of sharing data with law enforcement such as the FBI. Corporations to work with lawyers or legal team in doing such.
In addition to the talk there was a demonstration of:
- Dell’s threat protection and endpoint security suite
- Network threat visualizer “DarkTrace” https://www.darktrace.com
I would like to give a big thanks to John Rovito over at VirtuIT Systems for having me out this week.
I have posted about commands in the past. I am now ‘rebooting’ that post adding additional commands that I find useful.
$ scp somefile.txt server:/tmp Secure copies somefile.txt to remote host /tmp folder
$ scp sysadmin@server:/www/*.html /www/tmp Copies *.html files from remote host to current system /www/tmp folder
$ scp -r sysadmin@server:/www /www/tmp Copies all files and folders recursively from remote server to the current system /www/tmp folder
$ rsync -a /home/backup /backup/ Synchronizes source to destination
File and Folder Archive:
$ tar cf home.tar home Creates tar named home.tar containing home/
$ tar xf file.tar Extracts the files from file.tar
$ tar czf file.tar.gz files Creates a tar with gzip compression
$ gzip file Compresses the file and renames it to file.gz
$ ifconfig -a Display all network ports and ip address
$ ifconfig eth0 Display specific ethernet port ip address and details
$ ip addr show Display all network interfaces and ip address(available in iproute2 package,powerful than ifconfig)
$ ip address add 10.0.0.1 dev eth0 Set ip address
$ ethtool eth0 Linux tool to show ethernet status
$ mii-tool eth0 Linux tool to show ethernet status
$ ping host Sends echo request to test connection
$ whois domain Get who is information for domain
$ dig domain Get DNS information for domain
$ dig -x host Reverse lookup host
$ host google.com Lookup DNS ip address for the name
$ hostname -i Lookup local ip address
$ wget file Download file
$ netstat -tupl Listing all active listening ports(tcp,udp,pid)
$ ssh user@host Connects to host as user
$ ssh -p port user@host Connects to host using specific port
$ telnet host Connects to the system using telnet port
$ chmod 777 /data/test.c Sets rwx permission for owner , rwx permission for group, rwx permission for world
$ chmod 755 /data/test.c Sets rwx permission for owner,rx for group and world
$ chown owner-user file Changes the owner of the file
$ chown owner-user:owner-group file-name Changes the owner and group owner of the file
$ chown owner-user:owner-group directory Changes the owner and group owner of the directory
$ ps Displays your currently active processes
$ ps aux | grep ‘telnet’ Finds all process id related to telnet process
$ pmap Memory map of process
$ top Display all running processes
$ kill pid Kill process with mentioned pid id
$ killall proc Kill all processes named proc
$ sleep 10 & Sleeps at the background
$ kill ‘JobNumber ‘ Terminates the job
$ jobs Display the jobs
$ pkill processname Send signal to a process with its name
$ bg Resumes suspended jobs without bringing them to foreground
$ fg Brings the most recent job to foreground
$ fg n Brings job n to the foreground
Useful File Commands:
$ cd .. To go up one level of the directory tree
$ cd Goes to $HOME directory
$ cd /test Changes to /test directory
$ ls gives the contents of a folder.
$ ls -a gives all the contents of a folder.
$ mkdir FolderName creates the folder FolderName.
$ cd Directory makes the Directory current directory
$ pwd prints the working directory
$ cp ~/Desktop/Berk/backups/science.txt . copy science.txt to the current directory
$ mv backups/science.txt /Desktop/Emi moves science.txt to folder Emi
$ rm temp.txt removes the temp.txt file
$ clear clear screen
$ cat science.txt Display contents of a file on the screen
$ less science.txt Displays on a different page ( type q to close the page)
$ less science.txt and then /name finds the occurences of name
$ head science.txt displays the first ten lines of the file
$ tail science.txt displays the last ten lines of the file
$ tail -20 science.txt displays the last 20 lines of the file
$ grep ‘searchedkeyword’ science.txt searches and finds the keyword in the file.(case sensitive)
$ grep -i SeaRchEdKeyWoRd science.txt case insensitive search
$ grep -i ‘SeaRched Sentence is this one’ science.txt case insensitive search
instead of i we can use;
-n precede each matching line with the line number
-v display those lines that do not match
-c print only the total count of matching lines
$ find -name “*.txt” -print finds the text files in the current directory
$ diff a.txt b.txt gives the different lines
$ wc -w science.txt gives the word count
$ wc -l science.txt gives the line count
$ cat > list1
creates a list and we can print this list by using:
$ cat list1 command line.
$ cat biglist | grep p | sort gives sorted list elements which include p
$ sort < biglist > sortedlist sorts the biglist and writes it to the sortedlist
$ ls list* outputs the filenames starting with ‘list’
$ ls *list outputs the filenames ending with ‘list’
$ ls ?un outputs the filenames ending with ‘un’ but just one letter. (e.g. sun, gun, bun)
$ man ____ gives information about the command in the underlined section.
$ whatis ____ gives information about the command in the underlined section.
$ ls -l gives detailed information about the gfiles in the directory
rwx: read write execute
rw: read write
$ chmod u+x TheFile adds writing permission to the user(owner) of TheFile
$ chmod go-rwx biglist to remove read write and execute permissions on the file biglist for the group and others
$ chmod 754 TheFile 7, 5, 4 represents the individual permissions for user, group, other (7:rwx, 5:rx, 4:r)
4 – stands for “read”
2 – stands for “write”
1 – stands for “execute”
0 – no permissions
$ du -s * The du command outputs the number of kilobyes used by each subdirectory.
$ df . The df command reports on the space left on the file system.
$ gzip science.txt Compresses into a gzip file
$ gunzip science.txt.gz De-compresses into the original file
$ tar cvf New.tar addthisfileintotar Create a tar file called New and add this file.
$ tar xvf New.tar Extracts the tar file
$ zcat science.txt.gz reads zipped files without unzipping
$ file * Classifies the files in the current directory ( folder, text, gzip, etc.)
$ echo Hello $name Prints ‘Hello Berk’
$ sha1sum FileName | grep e509760917361307015 Compares the checksum of a downloaded file and the calculated one.
$ gpg -c file Encrypts file
$ gpg file.gpg Decrypts file
$ id Shows the active user id with login and group
$ last Shows last logins on the system
$ who Shows who is logged on the system
$ groupadd admin Adds group “admin”
$ useradd -c “Jermal Smith” -g admin -m sam Creates user “sam” and adds to group “admin”
$ userdel sam Deletes user sam
$ adduser sam Adds user “sam”
$ usermod Modifies user information
$ top Displays the top CPU processes (Ctrl+C to exit)
$ vmstat 2 Displays virtual memory statistics
$ sudo tcpdump -i eth0 Captures all packets flows on interface eth0
$ sudo tcpdump -i eth0 ‘port 80’ Monitors all traffic on port 80 ( HTTP )
$ lsof Lists all open files belonging to all active processes.
$ lsof -u myuser Lists files opened by specific user
$ watch df -h Shows changeable data continuously
$ uname -a Displays Linux system information
$ uname -r Displays kernel release information
$ uptime Shows how long system running + load
$ hostname Shows system host name
$ hostname -i Displays the IP address of the host
$ last reboot Shows system reboot history
$ date Shows the current date and time
$ cal Shows this month calendar
$ whoami Shows who you are logged in as
$ dmesg Detected hardware and boot messages
$ cat /proc/meminfo Hardware memory information
$ cat /proc/cpuinfo CPU model information
$ cat /proc/interrupts Lists the number of interrupts per CPU per I/O device
$ sudo lshw Displays information on hardware configuration of the system
$ lsblk Displays block device related information in Linux (sudo yum install util-linux-ng)
$ free -m Displays used and free memory (-m for MB)
$ lsusb -tv Shows USB devices
$ dmidecode Shows hardware info from the BIOS
$ hdparm -i /dev/sda # Shows info about disk sda
$ hdparm -tT /dev/sda # Do a read speed test on disk sda
$ badblocks -s /dev/sda # Test for unreadable blocks on disk sda
Sharing is caring. So I am sharing something I received from Dale Carnegie
1. Make A Great First Impression – Before starting, practice what you will say when introducing yourself; think about all of the questions people might ask you and develop your answers. Choose honest, concise responses, but be sure to be friendly. Don’t forget to dress for success and shine your shoes!
2. Get To Know Your Company And The People Of The Company –
If you have not done so already, take the time to read up on your company (using the company’s website or industry articles as sources). Once you start gathering more information, observe the work environment and understand everyone’s job and the impact they have on getting things done. Most importantly, don’t get caught up on the company’s gossip.
3. Own Your Mistakes – It is typically expected that a new hire will make a mistake somewhere down the line. Face a blunder head on and ask for help immediately. Learn from it, and ensure that this same problem does not happen again.
4. Know Your Manager – Since your manager will be evaluating you and often makes decisions about your career with regards to promotions, raises, etc., you want to make him or her as happy as possible. Find out how he/she works, what they are most concerned about, and what they expect of you. Don’t forget to pay special attention on how he/she likes to communicate (meetings vs. e-mails) and their overall management style. The bottom line is that you want to create a positive work relationship right from the get-go.
5. Know Your Job And How Your Performance Will Be Graded -Sometimes aspects of a job are a little different than what you thought during the interview. Talk to your manager early on so that you are both on the same page about expectations, how he/she will evaluate your performance, and so on.
6. Do Your Homework – While enthusiasm is wonderful, it is not usually a great idea to rush into a new position and try to make many drastic changes right off the bat. There might be very legitimate reasons that certain policies or practices are in place, and you will look much more competent if you ask questions and do your homework before making big suggestions. You do not want to alienate yourself from your peers by stepping on their toes, especially if the changes you are suggesting have already been tried before or are not even possible.
7. Be Friendly – Never underestimate a good smile. You want everyone at your new job to be on your side. You do not necessarily need to be everyone’s friend, but you want people to have your back. Also, work is lot easier if you are on friendly terms with those around you.
Executive Summary: Being a new hire is not always fun, but with a little research, patience and diligence, it does not have to be a truly stressful experience. Heed the advice listed above to make the transition to your next job as smooth as possible.
And… its time to purge those 365 deleted users. Although we can wait for the retention policy to do it for us. I wanted to do this “now”.
I had wrote the following steps in the past and thought I would share here.
To delete the account for one or more users
Sign in to Office 365 with your work or school account.
Go to the Office 365 admin center.
Go to Users > Active Users.
Choose the names of the users that you want to delete, and then select DELETE Delete.
In the confirmation box, select Yes.
Well, not so fast. The deleted users is not fully gone yet. It takes 30 days after you have deleted the user for it to purge from Office 365. However there is a way to do this faster
Connect to Exchange Online using the Windows Azure Powershell module.
To connect you enter the following cmdlet’s:
- Store your credetials (this is stored in memory): $msolcred = get-credential
- Connection to Office 365: connect-msolservice -credential $msolcred
Once connected you can issue the following command to list deleted users:
get-msoluser –returndeletedusers -maxresults 100
To remove a deleted user permanently:
remove-msoluser –userprincipalname UID@UPN.com -RemoveFromRecyclebin
If you had multiple users, the following cmdlet would work to remove all deleted users recycle bin:
get-msoluser –returndeletedusers -maxresults 100 | remove-msoluser -removefromrecyclebin -force
That’s it… Your done. Good Luck
Original Post of mine can be found here