|
Crypto came in! No matter how locked down network security is, laptops leaving and entering the environment are still a huge risk. I guess HR won't be allowed to work from home anymore, clicking on all their infected resume emails. Kaspersky may have helped if this thing was on our network often enough to get updates. I guess this will be my official foray into incident response documentation!
|
# ? Apr 5, 2016 20:32 |
|
|
# ? Jun 3, 2024 21:58 |
|
quote:Hello, Sure, whatever, I'll just log into their Intuit account and order some licen-- It's been like this for an hour now
|
# ? Apr 5, 2016 20:38 |
|
One of the things we invested in was Cisco Cloud Web Security. It works great. On laptops you install an agent and it keeps filtering and monitoring traffic even offsite.
|
# ? Apr 5, 2016 20:39 |
|
Khisanth Magus posted:I just don't want to spend the energy to fight with a system(or even have the energy required to fight it most of the time) that is going to waste my time with diagnoses of insomnia(no, I don't have any problems falling asleep as a matter of fact, I fall asleep quite well at 3am), wasting my time with "sleep hygiene" crap that isn't going to help, and attempts to just drug away all my problems. If you think your doctor is just trying to get you out the door instead of listening to your problems, you should find a different doctor. What are you expecting from a doctor that doesn't involve medication though, Voodoo?
|
# ? Apr 5, 2016 21:23 |
|
Jerry Cotton posted:You type fairly well so I guess you learned to cope with your glueability? He glued more fingers onto the other stuff he glued to his hands, now he's the fastest typist ever Ol' Krazy Keyboardin' Collateral they call him, typin' like a receptionist on meth
|
# ? Apr 5, 2016 21:37 |
|
Brut posted:If you think your doctor is just trying to get you out the door instead of listening to your problems, you should find a different doctor. There is no effective medication for DSPS, and even if there were, you really aren't supposed to use sleeping pills long-term. Before I went to my sleep doctor (somniatrist? somnician?), my GP just wanted to try all sorts of sleep medication. It led to me sleeping 12-14 hours per day.
|
# ? Apr 5, 2016 21:59 |
|
Veritas backup restore will not do a "point in time" restore and delete files created after the backup was taken. It just overwrites files that were there previously with the backup version. Fine, I guess, but I'd like the option to delete poo poo that wasn't supposed to be there since I now have to deal with tens of thousands of cryptolocker ransom notes. Powershell should work just fine, write the script, test it by logging file locations with no deletes, looks fine, patch in the delete command, works great. It's crawling through our mapped drives looking for the file name and nuking anything it comes across. Except, oddly, it stops on the Accounting folder. For 30 minutes. What could it be doing? Let's take a look at how many files are in thWHAT THE gently caress. 1.1 Million files. That can't be healthy. EDIT: My senior admin thinks it's a good use of his time to crawl through the sub folders by hand to delete these files, and he thinks it's just as fast as my script that blew through tens of thousands of folders in 30 minutes. Judge Schnoopy fucked around with this message at 22:24 on Apr 5, 2016 |
# ? Apr 5, 2016 22:06 |
|
Judge Schnoopy posted:EDIT: My senior admin thinks it's a good use of his time to crawl through the sub folders by hand to delete these files, and he thinks it's just as fast as my script that blew through tens of thousands of folders in 30 minutes. "Bet you my way is faster, loser buys lemon cake and a bottle of Penderyn single malt Madeira finish for the office on Friday."
|
# ? Apr 5, 2016 22:45 |
Judge Schnoopy posted:Veritas backup restore will not do a "point in time" restore and delete files created after the backup was taken. It just overwrites files that were there previously with the backup version. Fine, I guess, but I'd like the option to delete poo poo that wasn't supposed to be there since I now have to deal with tens of thousands of cryptolocker ransom notes. Are there backup programs that actually do this? Every backup I've ever used has simply restored the files that are in the backup without touching anything else.
|
|
# ? Apr 5, 2016 23:02 |
|
Judge Schnoopy posted:Crypto came in! No matter how locked down network security is, laptops leaving and entering the environment are still a huge risk. I guess HR won't be allowed to work from home anymore, clicking on all their infected resume emails. I don't understand why anyone in TYOOL 2016 wouldn't use a service like mimecast. We're 350 users, 80 of them are remote. We've had 1 cryptolocker infection that happened about 3 months ago via an infected HP Procurve firmware package got downloaded. Every other one gets quarantined by mimecast, helpdesk either deletes or tests potentially bad programs/links in a sandbox.
|
# ? Apr 5, 2016 23:03 |
|
ConfusedUs posted:Are there backup programs that actually do this? Every backup I've ever used has simply restored the files that are in the backup without touching anything else.
|
# ? Apr 5, 2016 23:11 |
|
I would expect in most situations like above, the easy way would be to blow the data away and then restore. Not a backup admin so probably not best practice tho.
|
# ? Apr 5, 2016 23:15 |
|
Brut posted:If you think your doctor is just trying to get you out the door instead of listening to your problems, you should find a different doctor. As the other poster said, you can't medicate what I have, sleeping medications just make your situation worse. The only purpose to getting it formally diagnosed is to give it to HR so maybe I won't be fired the next time I sleep through the 4 staggered alarms I have set up in the morning.
|
# ? Apr 5, 2016 23:19 |
nexxai posted:That better be how any backup software works! What happens if I want to restore a single deleted file? It better not loving touch any other file in that folder. That's kind of my opinion, frankly. RFC2324 posted:I would expect in most situations like above, the easy way would be to blow the data away and then restore. That's the most common thing, yes. Less common is manual (or scripted) removal of unwanted stuff. And in neither case is it the backup program's responsibility. It is the admin's.
|
|
# ? Apr 5, 2016 23:22 |
|
Khisanth Magus posted:As the other poster said, you can't medicate what I have, sleeping medications just make your situation worse. The only purpose to getting it formally diagnosed is to give it to HR so maybe I won't be fired the next time I sleep through the 4 staggered alarms I have set up in the morning. Get the timely app on your phone... you have to do math problems to get it to shut the hell up.
|
# ? Apr 5, 2016 23:23 |
|
Khisanth Magus posted:As the other poster said, you can't medicate what I have, sleeping medications just make your situation worse. The only purpose to getting it formally diagnosed is to give it to HR so maybe I won't be fired the next time I sleep through the 4 staggered alarms I have set up in the morning. Even if it's true that you there is no combination of currently available medication (this covers way more than just "Sleeping pills") that can help you in any way, you came across as having some weird judgement describing your personal experience with a handful of doctors as "the healthcare industry" and thinking that doing anything more than a few minutes of uncompensated work is normal/standard or even at all acceptable.
|
# ? Apr 5, 2016 23:31 |
|
ConfusedUs posted:That's kind of my opinion, frankly. I guess this is true. I have never seen a backup program that deleted things, and it shouldn't even as an option. Senior admin cleaned a few folders and wrote the folders down by hand. My script recorded 21000 file kills and documented every one in a log file. I think I won.
|
# ? Apr 5, 2016 23:34 |
|
DigitalMocking posted:I don't understand why anyone in TYOOL 2016 wouldn't use a service like mimecast. Other than their piece of poo poo web interface Mimecast has been solid at this place. No crypto in over a year.
|
# ? Apr 5, 2016 23:51 |
|
The portal is a bit confusing if you aren't in 'Mimecast mode' when you're using it, but at least it loving works. Better than Office 'whoops try again' 365.
|
# ? Apr 5, 2016 23:56 |
|
How much is Mimecast's per user pricing for virus protection? Can't be arsed to plug in my info and have yet another salesperson calling me.
|
# ? Apr 5, 2016 23:59 |
|
Jerry Cotton posted:You type fairly well so I guess you learned to cope with your glueability?
|
# ? Apr 6, 2016 00:00 |
|
Kashuno posted:I'm dumb and didn't think to use PDQ Deploy because we literally never use it in this place. So I just used PDQ Deploy instead. I'm still going to see why I couldn't get it working, but using simple solutions is much better. Brut posted:If you think your doctor is just trying to get you out the door instead of listening to your problems, you should find a different doctor. Ghostlight fucked around with this message at 00:06 on Apr 6, 2016 |
# ? Apr 6, 2016 00:03 |
|
The Macaroni posted:Sage His accounts manager lives in Texas and RDP's in to work. He got sick of being around him but he was literally his first employee and he knew nobody would be able to decipher the hosed up way he does things (legal, just a massive mess) so he caved. He said no initially and brought in two people who lasted 2 days each, enough to basically tell him he's insane. quote:2. Backups of our Sage files were stored locally, because offsite backup was a SECURITY RISK. The Sage logins were: username-our initials. Password-first name. Every computer in the office and all emails were 6 letters, the shortened two words of the company name. I refused to do it on the server admin account but when I left he had me change it to the 6 letters plus the suite# of the office. Even the wifi, which was just WEP. I even had to convince him to at least isolate the wifi from the network. Until he brought in his laptop and couldn't access anything. Still not sure how I managed to keep that fucker safe, nobody ever got in and the one time a virus got in was because he got that FBI child porn ransomware. And brought it into the office. lampey posted:$50 an hour is really cheap for consulting work. Our lowest hourly rate is $140 an hour, and that's for when we have a support agreement with from years ago, and they are nonprofits, and we are already billing them for monitoring/hosting/backups. You have experience that is valuable to the business and it would be costly for them to hire someone else and get them up to speed. They are paying you to solve their problems when no one else can, not just an hourly wage at this point. Also have a minimum time billed like 2-4 hours. Find out what it would cost to have them hire someone else to do it and negotiate from there. Im in Massachusetts he's in Florida. He has no idea how long anything takes
|
# ? Apr 6, 2016 01:22 |
|
RFC2324 posted:Get the timely app on your phone... you have to do math problems to get it to shut the hell up. If he's anything like me, he'll gladly sleep through an alarm blaring right in his ear for an hour.
|
# ? Apr 6, 2016 01:48 |
|
I went to the gym, and sometime between then and the hour later when I checked my phone, 350 tickets came in. One of the UPSes is throwing basically every error it can at me, so I guess I get to go back and figure out wtf.
|
# ? Apr 6, 2016 01:54 |
|
MisterZimbu posted:If he's anything like me, he'll gladly sleep through an alarm blaring right in his ear for an hour. This is my problem. Plus any puzzle or math problem I'm capable of doing while awake can be completed by waking up just enough and going back to sleep. I find it helps if you enjoy your job and have something to wake up for. Previously I'd wake up a few hours before I needed to be at work, that way I could get stuff done, goof off, and get ready without rushing. I wasn't just waking up to get to work. (This was a later morning shift) That's what worked best for me, but right now I'm forced to work a shift that starts early enough that this isn't easily possible for me. It's been hell struggling to wake up, fighting traffic, etc. Lucky I just got a position in a new department, only a few weeks left in my current one. PBS fucked around with this message at 02:20 on Apr 6, 2016 |
# ? Apr 6, 2016 02:14 |
|
I locked my computer to go use the bathroom, came back I couldn't sign in, error message says that the server doesn't have computer account for the workstation trust. I try again, same message, try local account, no good. I disconnect from the network, and my password lets me in. I connect the cable and I'm able to sign into things alright, I jump on IM and ask one of our help desk people if they've seen that error. He goes "Yep, here is the fix, go into your power settings and set your power setting to Performance, that will fix it!" I try it and oddly enough, a power setting has nothing to do with an AD problem. He says he will escalate the problem to tier 2 and they'll give me a call right away. 2 hours go by and I hadn't heard from them. Glad I had a work around at least, although every time I left my desk I had to disconnect a cable to sign back in.
|
# ? Apr 6, 2016 02:53 |
|
PBS posted:This is my problem. Plus any puzzle or math problem I'm capable of doing while awake can be completed by waking up just enough and going back to sleep. I wonder if there's a way I can make my phone lie to me about the time and say it's 10 minutes later than it really is. So far the only thing that's proven to be effective in getting me out of bed is the grim realization that I need to be out of the apartment in less than 30 minutes or be late to work. I can do a lot with one less press of the snooze button. Renegret fucked around with this message at 03:01 on Apr 6, 2016 |
# ? Apr 6, 2016 02:55 |
|
DigitalMocking posted:It does if you configure it. Yeah it shouldn't be... but unless he never actually made any edits to his file, then he definitely deleted it off the thumb drive somehow. Either way, he had it coming.
|
# ? Apr 6, 2016 03:00 |
|
GnarlyCharlie4u posted:Conversely, 90% of our office thinks that "shut down" means, switch user, or log off, or turn off the monitor, or just not loving touch the thing but set the phone down and go get some coffee or something. "Oh, those IT idiots are telling me to reboot again, that never works, they just have to say it, they don't realize it throws away all my stuff, I'll lie and tell them I did it."
|
# ? Apr 6, 2016 03:10 |
CitizenKain posted:I locked my computer to go use the bathroom, came back I couldn't sign in, error message says that the server doesn't have computer account for the workstation trust. I've actually heard this one before, but hell if I can remember how to fix it.
|
|
# ? Apr 6, 2016 03:34 |
|
CitizenKain posted:I locked my computer to go use the bathroom, came back I couldn't sign in, error message says that the server doesn't have computer account for the workstation trust. I try again, same message, try local account, no good. I disconnect from the network, and my password lets me in. I connect the cable and I'm able to sign into things alright, I jump on IM and ask one of our help desk people if they've seen that error. He goes "Yep, here is the fix, go into your power settings and set your power setting to Performance, that will fix it!" If you can, remove the pc from the domain. Reboot. Login via local admin. Readd to the domain. Reboot. Should work now.
|
# ? Apr 6, 2016 03:46 |
|
ConfusedUs posted:I've actually heard this one before, but hell if I can remember how to fix it. Once again, our Lord and Saviour Powershell has the answer: Test-ComputerSecureChannel -repair is the cmdlet you'll want to run. Either that or use netdom, but I think the Powershell method is easier.
|
# ? Apr 6, 2016 03:49 |
|
GreenNight posted:If you can, remove the pc from the domain. Reboot. Login via local admin. Readd to the domain. Reboot. Should work now. Don't even have to reboot twice - just go right back to system properties and repeat the process, except this time rejoin the domain. Then reboot. I have to do this way too frequently.
|
# ? Apr 6, 2016 03:50 |
|
Judge Schnoopy posted:I guess this is true. I have never seen a backup program that deleted things, and it shouldn't even as an option. Also that is a lot of crypto ransom files.
|
# ? Apr 6, 2016 04:11 |
|
ilkhan posted:Rename the root of the stuff being restored. Restore. Is it all there? Delete the renamed folder. Hit over 7000 network folders, 3 files per folder. Could not keep a renamed copy and restore, the share directory is at 80% capacity. The powershell worked just fine to delete the files but I had to target parent folders individually instead of the root directory. The infected machine didn't have access to all parent folders, such as accounting, and I didn't have a spare 4 hours for the script to crawl through the million files in that directory. Interesting thing, it looks like crypto queried DNS to find shares on the network that weren't mapped. Four servers with no mapped drives had shares with "authenticated users" permissions and they were all hit. Didn't expect that one. I had to check every server for shared folders because of course they aren't documented.
|
# ? Apr 6, 2016 04:58 |
|
Brut posted:Even if it's true that you there is no combination of currently available medication (this covers way more than just "Sleeping pills") that can help you in any way, you came across as having some weird judgement describing your personal experience with a handful of doctors as "the healthcare industry" and thinking that doing anything more than a few minutes of uncompensated work is normal/standard or even at all acceptable. There are light therapies, though as mentioned it is very strict and one night of interrupted sleep reverts everything. The problem isn't sleeping, it's reaching stage 4 sleep. Sleeping pills actually delay stage 4 sleep even further, taking more hours to sleep for less actually productive sleep. It's kind of like a permanent second shift circadian rhythm. I do agree he needs to find a doctor knowledgeable on the topic and not generalize the healthcare industry about it though, those doctors do exist. And yes, there is no currently available medication, even outside sleeping pills. Actually on topic: I got promoted a few months ago but haven't really filled the position because I wasn't replaced until yesterday. My new job is to physically rip apart printers and repair them. My first big project was today. The printer ate the metal baffle that's supposed to pop paper into the bypass feeder. Apparently the springs were way too taut and it stripped a screw right out of the hole, the baffle then proceeded to feed directly into the laser. I never thought that possible.
|
# ? Apr 6, 2016 05:12 |
|
Dick Trauma posted:Other than their piece of poo poo web interface Mimecast has been solid at this place. No crypto in over a year. Their portal is loving awful, but when we had a complete vmware meltdown last week it was sure nice that on-prem users still had email
|
# ? Apr 6, 2016 05:15 |
|
GreenNight posted:If you can, remove the pc from the domain. Reboot. Login via local admin. Readd to the domain. Reboot. Should work now. I'll give that a try if I can tomorrow, my PC is weird in that I'm not entirely sure I have local admin on it. The joy of getting hand me down laptops. On a side note, I hope we can get a person who is really good with linux hired at some point. The previous people left and now we have all these servers and no one with enough experience to run them.
|
# ? Apr 6, 2016 05:21 |
|
|
# ? Jun 3, 2024 21:58 |
|
CitizenKain posted:I'll give that a try if I can tomorrow, my PC is weird in that I'm not entirely sure I have local admin on it. The joy of getting hand me down laptops. Use Hirens to reset the local admin credentials.
|
# ? Apr 6, 2016 08:28 |