CryptoLock(Variant) repair script

Use this script to search for files that have .encrypted appended to their name and replace them with a version from shadow copy

This powershell script will create the symlink given the ShadowCopy name you provide, it will then search the folder specified and replace all effected files removing the encrypted versions.

 

This script is modified version from here – https://rcmtech.wordpress.com/2016/01/27/restore-malware-encrypted-files-from-vss-snapshots/

Function New-SymLink ($link, $target)
{
#if (test-path -pathtype container $target)
#{
$command = "cmd /c mklink /d"
#}
#else
#{
#    $command = "cmd /c mklink"
#}

invoke-expression "$command $link $target"
}
Function Remove-SymLink ($link)
{
if (test-path -pathtype container $link)
{
$command = "cmd /c rmdir"
}
else
{
$command = "cmd /c del"
}

invoke-expression "$command $link"
}

# Before running this script:
# Use: vssadmin list shadows to find the latest unencrypted shadow copy - see the date & time they were created
# Record the Shadow Copy Volume, and use this to create a symbolic link:
# Create a folder to hold the symbolic link: md C:\VSS
# Then use: cmd /c mklink /d C:\VSS\67 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1555\
# You need to add a trailing backslash to the Shadow Copy Volume name produced by vssadmin.
# Once done, remove the symbolic link by using: cmd /c rd C:\VSS\67

# This is the path on the file server that got encrypted:
$EncryptedPath = "E:\File Shares\"
# This is the path to your shadow copy symbolic link:
$VSSPath = "c:\vsstemp\"
# File extension that the encrypted files have:
$Extension = ".encrypted"
# File name (minus extension) used for the "How to get your stuff unencrypted" files:
$RecoverFileFilter = "HOW_TO_RESTORE_FILES"

#Be sure to inlcude the trailing \
$VSSName="\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy250\"
#The folder to be used temporarily to mount the VSS snapshot

Remove-SymLink( $VSSPath )
New-SymLink($VSSPath,$VSSName)

$FileList = Get-ChildItem -LiteralPath $EncryptedPath -Filter *$Extension -Recurse -Force
$TotalFiles = $FileList.Count
Write-Host ("Found "+$TotalFiles)
$Counter = 0
foreach($EncryptedFile in $FileList){
$DestFileName = $EncryptedFile.FullName.Replace($Extension,"")
#$VSSFileName = $DestFileName.Replace("F:\",$VSSPath)
#Strip the first 3 characters from the full path and replace it with the temporary VSS path
$StrippedName=$DestFileName.Substring(3,$DestFileName.Length-3)
$VSSFileName = "$VSSPath$StrippedName"

try{
# Use LiteralPath to prevent problems with paths containing special characters, e.g. square brackets
Copy-Item -LiteralPath $VSSFileName -Destination $DestFileName -ErrorAction Stop
Remove-Item -LiteralPath $EncryptedFile.FullName -Force
}
catch{
$Error[0]
}
Write-Progress -Activity "Fixing" -Status $DestFileName -PercentComplete ($Counter/$TotalFiles*100)
$Counter++
}
Write-Progress -Activity "Fixing" -Completed
Write-Host "Done recoverying files. Now cleaning up."

$RecoveryFileList = Get-ChildItem -LiteralPath $EncryptedPath -Filter *$RecoverFileFilter* -Recurse
foreach($RecoveryFile in $RecoveryFileList){
try{
Remove-Item -LiteralPath $RecoveryFile.FullName -force -ErrorAction Stop
}
catch{
$Error[0]
}
}

HP Blade system commands (C7000)

Hard reset power to a blade(Undocumented?)

This will reset the power to the blade instantly, effectively removing it from the chassis and re-inserting it
reset server x

 

Original article – http://h20564.www2.hp.com/hpsc/doc/public/display?docId=mmr_kc-0115524

 

Factory Reset an iLO using Onboard administrator

Where 6 = Blade bay #

HPONCFG 6 << @

<RIBCL VERSION="2.0">
  <LOGIN USER_LOGIN="Dontcare" PASSWORD="UsingAutologin">
                <RIB_INFO MODE="write">
                                <FACTORY_DEFAULTS/>
    </RIB_INFO>
  </LOGIN>
</RIBCL>

@

 

Original Article – http://community.hpe.com/t5/HPE-BladeSystem-Server-Blades/BL460c-G7-blade-Factory-Reset-to-Default-Settings/td-p/5596175

Backspace in HP\Comware switches

Crtl+H

http://www.myteneo.net/blog/-/blogs/hp-comware-can-t-backspace-in-iterm/

A quick and dirty script to backup Openstack config files

You will of course need to run ssh-copy-id root@hostname for each machine you want to connect to prior to running this script

 

#!/bin/bash
# declare an array called array and define 3 vales
osdirs=( "/etc/nova" "/etc/neutron" "/etc/cinder" "/etc/glance" "/etc/keystone" "/etc/httpd" )
servers=("vm-os-ks01" "vm-os-glance01" "vm-os-dash01" "vm-os-net01" "vm-os-net02" "vm-os-cinder01" "vm-os-radosgw01" )

for s in "${servers[@]}"
do
    for d in "${osdirs[@]}"
    do
        echo "Server $s Dir $d"
        scp -r root@$s:$d /root/backups/$s/$d
    done
done

Linux get server hardware information

Get the model number of a server, tested on HP DL380 and 180’s

 

[root@cephosd4 ~]# dmidecode | grep "System Information" -A20
System Information
        Manufacturer: HP
        Product Name: ProLiant DL180 Gen9
        Version: Not Specified
        Serial Number: xxxxxxx
        UUID: xxx-3335-5541-xxx-313930303734
        Wake-up Type: Power Switch
        SKU Number: 778453-B21
        Family: ProLiant

OpenBGPD on pfSense

Here is a working config from a multi site MPLS VPN connection managed by AAPT

We terminated the connection in the data center with pfSense and OpenBGPD

Default route for all remote sites is via the data center

 

AS 64512
fib-update yes
listen on 10.252.0.18
router-id 10.252.0.18

network 0.0.0.0/0
network 192.168.30.0/24

neighbor 10.252.0.17 {
descr "TPG"
remote-as 2764
announce all  
local-address 10.252.0.18
}

deny from any
deny to any
allow from 10.252.0.17
allow to 10.252.0.17

hpacucli on Linux

Original article here – http://www.thegeekstuff.com/2014/07/hpacucli-examples/

Using hpacucli to manage RAID

Create a single disk RAID0 (How i use Ceph on my HP DL180’s)

hpacucli ctrl slot=2 create type=ld drives=1I:1:8 raid=0

 

Show all logical volumes

[root@management ~]# hpacucli controller slot=0 logicaldrive all show

Smart Array P410i in Slot 0 (Embedded)

array A

logicaldrive 1 (136.4 GB, RAID 1, OK)

array B

logicaldrive 2 (1.4 TB, RAID 5, Recovering, 52% complete)

 

Script to E-Mail in case of RAID failure

#!/bin/bash
###
#If something went wrong with the HP smartarray disks this script will send an error email
###
MAIL=notifications@domain.com.au
HPACUCLI=`which hpacucli`
HPACUCLI_TMP=/tmp/hpacucli.log

if [ `/usr/sbin/uname26 hpacucli controller slot=2 physicaldrive all show | grep -e 'Fail\|Rebuil\|err\|prob' -i | wc -l` -gt 0 ]
then
echo failure
msg="RAID Controller Errors"
#echo $msg
#$msg2=`hpacucli controller slot=1 physicaldrive all show`
logger -p syslog.error -t RAID "$msg"
echo "Hostname: " $HOSTNAME >> $HPACUCLI_TMP
/usr/sbin/uname26 $HPACUCLI controller slot=2 physicaldrive all show >> $HPACUCLI_TMP
mail -s "$HOSTNAME [ERROR] - $msg" -r RaidError@domain.com.au "$MAIL" < $HPACUCLI_TMP
rm -f $HPACUCLI_TMP
#else
#echo "Everything Good"
fi

Ceph – Generate a new key

When using puppet to rollout Ceph you may want to generate new keys for the admin keys etc

 

[root@lib-cephxx ~]# ceph-authtool --gen-print-key
AQBTuxlXlpMTNBAAykh5+4vHHnTcjhq4FWFw8g==

 

Example config for Squid reverse proxy using OWA on Exchange 2100 or 2016

/etc/squid/squid.conf

 

 

visible_hostname mail.domain.com
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
ssl_unclean_shutdown on

#This line is to fix the 2mb connection limit
client_persistent_connections off

https_port 443 accel cert=/etc/squid/wildcard.crt key=/etc/squid/wildcard.key defaultsite=mail.domain.com options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE dhparams=/etc/squid/dhparams.pem cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#Was
#https_port 443 accel cert=/etc/squid/wildcard.crt key=/etc/squid/wildcard.key defaultsite=mail.domain.com options=NO_SSLv3:NO_SSLv2

#OWA
#This line has sslversion=3 this has something to do with the 2mb limit
cache_peer 192.168.30.147 parent 443 0 proxy-only no-query no-digest front-end-https=on originserver login=PASS ssl sslflags=DONT_VERIFY_PEER connection-auth=on name=ExchangeCAS
acl site_OWA dstdomain mail.domain.com autodiscover.domain.com
cache_peer_access ExchangeCAS allow site_OWA
http_access allow site_OWA
#miss_access allow site_OWA

#TSG
cache_peer 192.168.30.133 parent 443 0 proxy-only no-query no-digest front-end-https=on originserver login=PASS ssl sslflags=DONT_VERIFY_PEER connection-auth=on name=TSGServer
acl site_TSG dstdomain tsg.domain.com
cache_peer_access TSGServer allow site_TSG
http_access allow site_TSG

 

Fail2Ban

Unban an IP

fail2ban-client set sshd unbanip --iphere--

Show status of jails

[root@l1-adl3 ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

 

Show the Fail2Ban log

cat /var/log/fail2ban.log