Disable TLS 1.0 and TLS 1.1 on Nginx and Enable TLS 1.2 and TLS 1.3

SSL/TLS protocol settings may be specified in the primary Nginx configuration file (usually located at /etc/nginx/nginx.conf), or in your site configuration files. Look for a line beginning with ssl_protocols. For example, the following is from the default nginx.conf file from a fresh Nginx install on Ubuntu:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

You can edit this line so that only current, secure versions of SSL/TLS are included:

ssl_protocols TLSv1.2 TLSv1.3;

Note that any settings in your default SSL configuration may be overridden by server blocks configuring individual domain names, so be sure to check for those if changes to your protocol settings are not reflected in your website.

Once you have made your configuration changes, reload Nginx to put them into effect. For more information, please refer to Nginx’s documentation on configuring HTTPS servers.

Enumerate SSL Ciphers Using nmap

A quick method to scan your network and enumerate the SSL Ciphers in use on systems is with nmap.

nmap --script ssl-enum-ciphers -p 443 192.168.0.1/24

This will scan the entire 192.168.0.0 subnet for open port 443 and if found enumerate the SSL Ciphers enabled.

You can also use openssl if the command is installed in Windows or Linux.

openssl s_client -connect 192.168.0.1:443 -tls1_2

openssl s_client -connect 192.168.0.1:443 -tls1_1

If a response is available for the ciphers specified, output will exist. If not, similar output showing will exist.

$ openssl s_client -connect 192.168.0.1:443 -tls1_1
CONNECTED(00000003)
140154848113984:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1654548424
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Ransomware: id-3509099450_[mk.goro@aol.com].0oxr4

UPDATE 6/8/2017: This is a CRyPTON Variant, see below.

A new variant of ~~Dharma~~ CryptON (CryptON 36 variant, to be precise), seems to have hit a server; here are some of the details I’ve been gathering.

Ransom Note

A file named ### DECRYPT MY FILES ###.txt is placed in each directory where encrypted files are located with the following content.

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.goro@aol.com
Your personal ID: 3509099450

Encrypted Files

Encrypted files have the following appended: .id-3509099450_[mk.goro@aol.com].0oxr4

Registry Entry

An interesting Registry entry is observed:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeKJ8CvJIB1H5nRcJZ]
"KJ8CvJIB1H5nRcJZd"="32B7DAEBA948B330EA098023EE44F4C003D3ADFD3D1DFEC22DEA17F1030C8C5D"
"KJ8CvJIB1H5nRcJZn"="B70D46F62D9189C86EB4017E7F83B2F81AEFD85392883862DC9AF3912EA38D6311EAE04DFC9473ABB19D510AE58852F91FA6933EAA5161EE2372EEF1E033A1E857BAB9603840A6F4CEEB54AF0E4332CF1617DFBD553A99F07873DEEFC66504B1A975862171DC6D74A970FB9580C389E708C950066FFC65596DBE51AE757BE10F7AB43285511704B9F71EF0615B0203F551EDA54CEBB93BD8609C88D7129DE39390B9D88595FD9A1B460F8F3B50D2B9EEA155DBCCD2F084E88877799559D51F190667D01E0F0858B0F27EE5D0A5F64310FD731EC53F89A2C5EEDCCD999A1620BA48469D51A00A545A33CEB7563610A3D3BE65CC7B5FCCE76C7181E316BB2FE6D9"
"KJ8CvJIB1H5nRcJZs"="1"

Google search for any parts of .0oxr4 comes up short as well as any of the information in the Registry key HKEY_LOCAL_MACHINESOFTWAREWow6432NodeKJ8CvJIB1H5nRcJZ

Searching for the email mk.goro@aol.com indicates this may be a ransomware that can be decrypted, according to ID Ransomware website. However, I have found nothing that works for decrypting.

I have attached two sample files, an original Informant SNMP zip file pulled from a backup as well as the encrypted file.

Original: informant-std-17
Encrypted (unzip): informant-std-17.zip.id-3509099450_[mk.goro@aol.com].0oxr4

Still a work in progress…

Update: 6/8/2017

From: https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-filenameemaildharmawalletzzzzz-support-topic/page-99

Any files that are encrypted with the newest variant of CryptON (Cry9, Cry36, Cry128, X3M, Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

This is a cry36 variant and apparently not decrypted at this time, see: https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/?page=4#comment-171791

CPU-miner Installed via Windows OS Vulnerability

Update 5/6/2017: Close port 445 and apply MS 17-010
I have triaged a handful of Windows servers this week that started out being ticketed as high CPU / performance issues.
Upon investigation, I have found XMR cryptocurrency miners being installed through a Windows OS Vulnerability.
Continue reading CPU-miner Installed via Windows OS Vulnerability

Fail2ban + fail2sql + Ban Hammer + PHP7

I recently revisited a project from some time ago that I found and modified the code to support PHP7 which dropped support for mysql extension in favor of mysqli.

If you’re interested, ~~I’ll attach the zip file~~ https://github.com/rjkreider/banhammer. I mainly just hacked it up and added i to mysql_ functions. Modified mysql_numrows to mysqli_num_rows and also fixed the constant MYSQL_NUM to MYSQLI_NUM and a few other tweaks in fail2sql.

~~Note that these are just the ban hammer HTML/PHP files, not fail2sql, so you’ll need to still grab fail2sql and get that setup.~~ I do include fail2sql in my repo with the modified PHP now.