forum.excito.com

Hi there,

I am not sure if support@excito.com email working anymore since I have not received a message from them, except just automatic request reply. It seems that my B3 has been attacked by MARS ransomware type of infection, just few days ago and we realized it by today on 1st of November. Is there still a way to solve things better and even save my data from there? I am very sorry that I have to be in touch with this subject.

Another thing I would like to know, the current 2.6.0.3 versio I have... is that really the latest? It has not been updating for a long time, a s it used to. I may have to just cry out as I have lost such a lot photographs and other things as well, like personal memories.

Sorry to hear about your troubles. From what I read though, Mars is a Windows only infection, so that would mean that the origin of your troubles is a Windows client machine, or should I interpret "Mars type of infection" differently? Did you verify the owner of the infected files? Use the `top` command to check for any high CPU process running with that username. This should make clear if the trojan is running on the B3 or the files are altered from a client machine with an active network connection to one or more shares.

Yes, 2.6.0.3 is the latest version of the official Bubba software. A security hotfix actually that needs to be installed on top of the latest release which is 2.6.0.2. Software development seized as the original founders went their own way, and the current owners of the brand only do hardware as well. Alternative operating systems do exist though and are being published in the development forum.

Thanks - and I will get back to this, once I have time.

"Did you verify the owner of the infected files? Use the `top` command to check for any high CPU process running with that username. This should make clear if the trojan is running on the B3 or the files are altered from a client machine with an active network connection to one or more shares."

I am using both Windows and Macbook laptops, true. Though my newer Macbook does not communicate with B3 at all, older one did... but Windows one still does but only from my wife's profile. Some weeks ago no problem yet and we saw time stamp October 31st and November 1st the infected files... did not use the computer on October 31st at all.

The files in B3 are basically all mine and my wife's - and we are both sort of admins there, from my point of view. Could you please explain, what do you mean "verify the owner..." and also "use the top command..." things, so I am able to understand more clear. After now 2 days of sleeping and "sort of crying, finally getting normal... such is life. Shit happens.

Some things probably should just be like they are now, vanished forever.
In this case, quite some many usuful things and memories, though.

Right... sorry. Assumed you would have some Linux knowledge.

You need to make a SSH connection to the B3. If you never did that before check the Wiki page for instructions.

Once in SSH you should change directory (`cd` command) to `/home/storage` which is the `storage` share you see on the network. Navigate to where you know infected files exist and use `ls -l` command to get a full directory listing including the name of the user who created or last modified the file (in Linux this user is called the owner of the file).

The `top` command is similar to Task Manager in Windows. It shows you running processes in descending order of CPU usage. Typically you should not see anything in there that uses more than 10 percent CPU for anything more than just a few seconds. A trojan script, if you have one, will most definitely stick out - the one reported here that prompted the 2.6.0.3 hotfix to be created used around 80 percent continuously.

Gordon