Hey /g/uys and /g/irls...
> need some help with some ransomware attacks that ocurred with my firm and our clients
I work in an accounting firm that has 40+ workstations connected in a single server.
Sometimes we use remote connection or teamviewer to connect into our clients and work from there.
Recently one of these clients that we use remote connection got a ransomware.
Then a few days after one of our workstations got hacked too.
The IT guy formatted this single workstation, but barely touched the server (the IP remains the same). He just formatted the installed Avira along with the already installed TrendOffice AV.
Then yesterday another client that we constantly use remmote access got hacked too.
> My question is:
If someone got access to one of our workstations, he probably knows the server IP and thus can still scan it for open ports, right?
If our server IP haven't changed, the attacker still have our address, right?
Is my firm IT guy dumb enough to don't change our IP and turn our server into a virus hive?
Or am I being completely ignorant about computer networks?
This is why you install gentoo
>>55236498
>Not using linox or bsd for his server
>ask for help in /g/
fuck off
>>55236533
i'm not the IT guy.
i'm the accounting guy that likes more IT than accounting.
the IT guy is an idiot.
I already told them to install linux but
"muh employers dont know how to use"
"muh server is secured by avira and trendoffice that i spent lots of money"
>>55236533
we use an accounting system that works only in windows environment and the directors dont wanna change it
what about windows server and linux workstations?
>>55236505
i got ubuntu thx though
>>55236594
>ubuntu
>>55236584
tell him to use proxmox+kvm and regular snapshots/backups of the system to go back in time incase something bad happens
do pci passthrough if needed. if the client needs windows, you can try having a central windows server+rdp on linux for that. i've tried it and have had good success.
>>55236640
thanks for you info!
i really appreciate your help!
i'll study your options..
>but what about the server ip remaining the same?
according to my knowledge, the attacker may still know our address and thus can attack us again, right?
>>55236667
tell the it guy to fuck off and learn his fucking job.
Windows server ? REALLY ?
>>55236667
just update everything. if possible put in a firewall with something like mikrotik or pfsense. maybe try snort
>>55236672
i know people using windows server for 10-15 years. it's hard to transition away from. moving windows clients to windows server+linux nucs clients for rdp is the best compromise i've found
i'll help you for $20,000
> doing it for free
wew
>>55236622
its ok its linux all the same like gentoo i looked it up
>>55236672
yeah i know... sadly they see me as just a n00b here.
>>55236719
we already have regularly backups.. but the external hds are always connected to the server..
thats why i'm worried about the attacker knowing the server ip...
> mikrotik
> pfsense
> snort
thanks!!
>>55236725
> pic related
>>55236756
>same like gentoo
take that back
>>55236804
source?
>>55236816
Everyone
>>55236498
i know you say you are into IT but you are an actual faggot, 3 main reasons
1) know your job and dont nosey other peoples job
2) not your company, make your own
3) if shit happens, not your prob, u r meant to enjoy the ride
stick to bean counting, that is your job.
fuck people who cant "keep hold of their pwn basket"
its not your company and its not your job to beak your fat fucking nose into others role, shithead.
signed,
the actual IT guy
>>55236498
>If someone got access to one of our workstations, he probably knows the server IP and thus can still scan it for open ports, right?
>If our server IP haven't changed, the attacker still have our address, right?
>Is my firm IT guy dumb enough to don't change our IP and turn our server into a virus hive?
10/10 bait.
Retarded, yet believable.
>>55236901
Get back to work, Pajeet Puloo.
Teamviewer servers were hacked recently, passwords leaked. Change them or stop using it.
>>55236901
CIA nigger detected
>>55236901
can't take criticism for shit, worse than a pajeet
>>55236901
dont be an idiot.
if the company fails i loose my job.
the owner is from my family.
i have my own side job.
i could extend it a little, but i wont spend more time with your idiocies
>>55236935
> Retarded, yet believable.
that's what I thought...
>>55236952
we don't use a static password
>>55236946
>>55236965
>>55236973
+1
>>55236498
Wow, just wow. People like you are part of the problem.
>If someone got access to one of our workstations, he probably knows the server IP and thus can still scan it for open ports, right?
He could before. Protip, they were all likely open. People don't use internal firewalls very much
>If our server IP haven't changed, the attacker still have our address, right?
He did before. Lookup private subnets. Also, if l33t hacker boi can't find a server inside a subnet then there are bigger problems.
>Is my firm IT guy dumb enough to don't change our IP and turn our server into a virus hive?
You are dumb. He made a choice. A small amount of security through obscurity or the fuckload of work around changing a server IP
>Is my firm IT guy dumb enough to don't change our IP and turn our server into a virus hive?
No, your problem seems to be security and not networks.
>>55237271
fuck I forgot my professional security hat.
Ask him what he plans to do for this in the future. User Education, app level firewall, disabling some email features. This will all driven from his root cause analysis (how did it get in and where was it from)
>>55237271
why people like me are part of the problem?
i dont get it.
> You are dumb. He made a choice. A small amount of security through obscurity or the fuckload of work around changing a server IP
oh good. so basically you're saying that its better because it's easier to configure?
duh.
> No, your problem seems to be security and not networks.
what about "network security"? tsc tsc
>>55236498
>got hacked
Retards are clicking stupid shit or using flash drives with e-AIDS.
Fire the IT guy. He sucks at his job.
>>55237271
This thread is pure gold
>>55237271
lel wtf shut up you're worse than his IT guy
>>55238020
how to prevent these retard employees to go out clicking idiot links ?
is there any browser app to do that?
is there any way to block all these retard womens to click 'free china stuff' and ' click here and learn how to lose 27kg just by eating bananas' ?
>>55238074
agreed... but he's a relative of the firm owner
>>55238100
agreed
>>55238136
agreed
>>55238168
set up adblockers
uninstall flash
take away admin privilege for installing stuff
You could also get something to filter websites like facebook and other shitholes so they don't click reposted trash with links and they also don't waste the company's time browsing
>>55238168
Oh good lord. Leave it to the professionals. He's probably already working on it if the infection/breach were bad enough.
Or maybe your shitty firm shouldn't be handling financial data without implementing any client security mechanisms.
I hate it when users to try micromanage My job. You want to waste my time with half baked suggestions? Fuck off. You want to actually learn something and propose some thoughtful advice then fine.
>>55238225
also look up deepfreeze meanwhile and get some one who can upgrade your shit to linux, your IT guy is a useless windows server monkey
t. fellow accountant
>>55238225
thanks!
already added these to my list.
i'm planning to collect lots of info and talk to the director and show him a few processes that we can implement here to improve our network security.
>>55238227
> Leave it to the professionals. He's probably already working on it if the infection/breach were bad enough.
he graduated from one of our worst colleges here. he's a moron. he looks like pic related.
> Or maybe your shitty firm shouldn't be handling financial data without implementing any client security mechanisms.
since he's a director relative, he doesn't even care... since the director don't "talk his language" and won't fire him.
> I hate it when users to try micromanage My job
I know that micromanaging is bad. I dont like it either. but I like my stuff secure and above that, the data of our clients must be safe
i dont fucking care about his happiness at all.
he doesn't even know how to read basic english ... when our computer got hacked he couldn't even tell the content of the cryptolocker image..
> You want to actually learn something and propose some thoughtful advice then fine.
that's what i'm doing atm...
>>55238343
Has any digital forensics been done on this case? If no one at your firm is capable, that's another red flag that you should hire a security specialist.
How's do you know that remote user A didn't infest remote machine A, get mad that their link wasn't working or scared of the infection, then go to local machine A and click the same shit later on?
Why are you assuming that the network layer was targeted at all?
I guarantee that this whole company is run by ignorant Pajeets.
>>55238476
> Has any digital forensics been done on this case?
no.
IT GUY : "muh there's no way of knowing where it came from"
pretty dumb, isn't ?
but again... i'm just the accounting noob that 'knows nothing about IT'
> If no one at your firm is capable, that's another red flag that you should hire a security specialist.
red flag then!
> How's do you know that remote user A didn't infest remote machine A, get mad that their link wasn't working or scared of the infection, then go to local machine A and click the same shit later on?
i dont know.
no forensics at all
> Why are you assuming that the network layer was targeted at all?
because i must start somewhere... r..right?
the order of the attacks (dunno if same hacker...)
t0 = client A connect to my firm via teamviewer
t1 = client A got hacked
t2 = one of our workstations got hacked
t3 = we use win7 remote connection app to conect to client B
t4 = client B got hacked
> I guarantee that this whole company is run by ignorant Pajeets.
me too.
they're good with accounting and laws and fucking bad with technology.
>>55238168
squid+havp+pi-hole
>>55238610
thanks a lot!
