Results 1 to 6 of 6

Thread: Widespread file corruption garbling on Samba shared gvfs-fuse volume

  1. #1
    Join Date
    Apr 2005
    Location
    Salt Lake City, UT
    Beans
    16
    Distro
    Ubuntu 17.10 Artful Aardvark

    Widespread file corruption garbling on Samba shared gvfs-fuse volume

    I'm running 12.04 as a file server in a small office environment- approx. 12 users. I use gvfs-fuse to mount a volume that came from the previous Fedora install. This volume is shared to Windows desktop clients via Samba and also SSH (they use Filezilla or Cyberduck to connect and sync folders when working remotely).

    Yesterday, it was discovered that widespread and random file corruption was happening. A user would save an Excel, Word, or PDF file on the shared drive and within minutes, the file would become unreadable. File size, date & time stamps, filename, etc. all remained unchanged. If you open the Word or Excel files in a text editor, instead of seeing the XML data, you would just get a bunch of garbled data like this:



    I've rebooted the server. I ran hardware checks, including memory checks. I ran chkrootkit and rkhunter- nothing unusual and no known rootkits detected. I checked the file systems and they were clean. Now, that the server has been rebooted, the problem seems to have stopped- at least for the spreadsheet I've created and been editing.

    Does anyone out there have any ideas why this happened? Is there any way to determine if it was gvfs-fuse-daemon or Samba?

    Does anyone have any ideas if the corrupt files are recoverable in any way? The amount of data has not changed? Maybe gvfs or Samba left the files in a temp or encoded format and there's a way to decode them?

    Help! I'm a little panicked and confused about why this happened. Nine years of running a Linux file server for this office and nothing like this has ever happened before. (You can laugh at me, but my backups of the shared volume are rsynced to a remote machine and so many of the corrupted files have been syncing to the remote backup each night.)

  2. #2
    Join Date
    Apr 2006
    Beans
    8
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: Widespread file corruption garbling on Samba shared gvfs-fuse volume

    Not sure if it really matters, but xlsx or any modern MS Office files are actually XML files within a zip file, so you may want to rename the file to .zip and open in archiver instead of opening it directly with a text editor. Does this corruption happen to plain text files as well?

    Also for corruption of files I had an experience previously where the security software on the Windows desktop (that encrypts files on the fly) got confused and corrupted files randomly. Just something to look out for in case you are using those software.

  3. #3
    Join Date
    Mar 2008
    Beans
    88
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Widespread file corruption garbling on Samba shared gvfs-fuse volume

    Better examine all the Windows PC's for Cryptolocker! There has been reports on the internet of this thing encrypting Network Shares and/or NAS boxes that Windows machines have write access to. If you never heard Cryptolocker you better start googling. If it is Cryptolocker, the infected Windows PC will have a countdown timer on it and a statement that it that it will cost you 300USD to get your files back and no i'm not joking.
    Your first step, learn the command line man intro man man man bash

  4. #4
    Join Date
    Apr 2005
    Location
    Salt Lake City, UT
    Beans
    16
    Distro
    Ubuntu 17.10 Artful Aardvark

    Re: Widespread file corruption garbling on Samba shared gvfs-fuse volume

    You called it. They brought in a laptop and didn't tell me about it, connected it to the shared volume, and this laptop had no anti-malware software installed on it and got infected with Cryptolocker. They ended up paying $300 in ransom in order to get their files decrypted. In fact, it's still working on decrypting the files on the shared drive as I type this.

  5. #5
    Join Date
    Apr 2005
    Location
    Salt Lake City, UT
    Beans
    16
    Distro
    Ubuntu 17.10 Artful Aardvark

    Re: Widespread file corruption garbling on Samba shared gvfs-fuse volume

    Thanks for the reply. Turns out it was malware called Cryptolocker on an unsecured laptop that they connected to the shared drive. Was an expensive lesson for them and i'm working on implementing a rolling set of backups with rsync rather than just a nightly sync of everything.

  6. #6
    Join Date
    Mar 2008
    Beans
    88
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Widespread file corruption garbling on Samba shared gvfs-fuse volume

    Wow, that sux. Better beef up samba security as well.
    Your first step, learn the command line man intro man man man bash

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •