- The killswitch is what it essentially hinges on. An unregistered domain in the code
- the encryption and further execution stops if the domain specified in code is resolved and a http connection established.
- the killswitch domainname in the wannacry code has changed which means sinkholing just one or two domain names will not work
- so what if we could resolve all unregistered domains to a honeypot.
- DNS by nature cannot be gamed to do this as it will cause havoc.
- Maxmind GeoIP has a domainame database
- write a small dns server drop in replacement which uses a local copy of this database
- the drop in dns server sits infront of actual organization dns server
- checks domain name in the maxmind db.
- if found in db lets request pass on to actual dns or replies
- if not found our drop in dns server replies with a honeypot IP
- honeypot IP is running a http server and allows the http connect
- http connect happens and killswitch is activated. Wannacrypt/wannacry stops execution
quick note to self…. mod_geoip, more precisely apache_note would not work when php is working as a cgi handler instead of being a apache module. Instead use getenv()
instead of apache_note("GEOIP_COUNTRY_NAME"); use getenv("GEOIP_COUNTRY_NAME");
If you want to allow visitors to download the pdfs rather than have them rendered here’s a quick howto
in the virtualhost section for the domain add:
SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "attachment" env=requested_pdf
That’s it all pdfs on that domain will be offered for download.
a client pinged… he has lost his database for a site which he had spent close to 6 months on… he interpreted a mail from a script provider differently and ended up deleting the db…. the backup is from when he had first set it all up. I had setup his server and used to help him off and on with any tuneups or security issues.
What can I say backups are never a waste… ever…. if nothing atleast you’ll get some of it all back…. he seems to have lost 500 odd client details…. I’ve referred him to the host to try and see if they have something tucked away somewhere but then thats a bleak one…
We offer backup planning and automation. When people are starting off they feel it’d be a waste of time but when something like this happens thats when you realise how important a simple automated backup system is…. and it doesnt cost the earth either…. ask for the backup service
Pray for Al I hope it works out for him…