Ransomware and Acronis True Image

Issue Summary

I have been testing Local and had decided to move forward to use it in my workflow. I recently had an issue with a potential Ransomeware attach while using Local. I am protected by Acronis. Acronis quarantined several files and provided an option to recover the 10 files. The recovery did not work.

Reviewing the Community I learned that several people have experience ransomware attacks while using Local, according to malwarebytes. In many of the cases, people were questioning if it was a real attack or a false positive. I had asked myself that same question in my situation.

After the ‘attack’, I was no longer able to edit the sites I had created. I have attempted to uninstall and remove all aspects of the Local application and related files. But I am not certain.

1. I would like to obtain a greater understanding of the false positive vs actual attack situation.
2. I would like help making certain all files related to Local have been removed. This is important because I attempted to delete the application and re-download it to continue working. The problem remained as indicated above.
3. Request Help, if needed, to reinstall and get up and working again with Local.

Troubleshooting Questions

• Does this happen for all sites in Local, or just one in particular? all sites (3) were experiencing a problem with accessing site to edit it.

• Are you able to create a new, plain WordPress site in Local and access it in a Browser? I was able to create a new site and view it in a browser, but I was not able to edit the site at all.

Replication

Describe the steps that others can take to replicate this issue. If you have screenshots that can help clarify what is happening, please include them! Sorry, but I can’t describe any steps to 1. create a ransomware attack or 2. generate a false positive, if there is some conflict with Acronis and Local.

System Details

• Which version of Local is being used?
  the most current version downloaded from the apps site.

• What Operating System (OS) and OS version is being used?

  • For example: macOS Catalina or Windows 10 Professional
    macOS Catalina 10.15.7
    I was running the sites in Apache, PHP v5 and MySQL v5

• Attach the Local Log. See this Community Forum post for instructions on how to do so:

  • How do I retrieve Local’s Log?

Any help or comments in regard to this issue would be helpful.

Update - I am working with Acronis in respect to the Ransomware attack. It seems that it might likely be a false positive with Local activity. Acronis is working to identify this issue. the identification occurred while I was working on a site in Local. The typical expected ways a Ransomware attack occurs, email link or text link, were not active.

The result of files being quarantined, attempted recovery of files, then subsequent uninstall of Local (it wasn’t working) has created an environment where a new install of Local is not being corrected. I still can’t use Local because I receive a 503 Server Unavailable error code.

I could us some help or suggestions on how to do a full uninstall of Local, related files and folders, so I can re-install Local and try to get it to work.

thanks
Steve

I am having a similar issue on Windows 10 with Bitdefender. Not only is it flagging Local files, but it’s also flagging files that are being installed when adding a new plugin on a local site. I’ve added new installs and plugins on other Local sites last week without any issues at all. It’s very odd.

thanks for sharing

I believe that the algorithm or scan features of these programs are confusing file activity in Local with the behavior of ransomware attacks. While the behavior of Local may be consistent with WP on an internet server, somehow the security apps need to exclude the activity on local servers or change their algorithms.

@sgrundleger – Thanks for taking the time to write a detailed topic and outline the things that you are encountering.

If you consider the things that Local does, it does have the potential to do some pretty powerful things, which if done without your knowledge, then it would be “really bad.”

However, since Local is trying to do some advanced system configuration to get a development environment up and running, it does need to adjust some things. Off the top of my head, the usual actions that Local does that could be viewed as problematic:

• Start processes you typically only see on a server (nginx/apache, PHP, MySQL)
• Edit the Hosts file so that the domain is resolved to the site Local is managing.
• Local’s router is set up to listen on port 80. The router is responsible for directing requests to the actual WordPress site. Because port 80 is the default for HTTP requests, I could see how malware would want to occupy that port, and by extension, why antivirus would be monitoring that sort of activity.

This is interesting – do you have a list of those files that were quarantined?

What makes you say that restoring didn’t work – for example, did you see a specific error, or is it just that Local isn’t working after restoring?

To your specific question:

Do you have a screenshot or recording of what you saw in Acronis? I’ve never seen the flow that happens with that piece of software, so I’m curious what it’s doing to lock Local down.

Since you’re on a Mac, you should be able to uninstall Local by:

1. Delete the application in the /Applications folder (or wherever you installed it)
2. Delete (or temporarily move) Local’s configuration and settings. This is located at ~/Library/Application Support/Local

NOTE
Deleting the ~/Library/Application Support/Local folder will mean deleting the raw db files for the sites, which means the potential for serious data loss. Instead of deleting the folder temporarily moving it might be a good idea. The specific place where the site db files are located are within the run folder.

image974×376 89.3 KB

Lastly, can you please provide your Local Log? See this Community Forum post for instructions on how to do so:

• How do I retrieve Local’s Log?

I hope to obtain the list of quarantined files on Monday. Acronis has scheduled an in-depth support session with me on Monday.

I deleted the application and all files and folders in /library/application support / local. I subsequently downloaded local from localwp.com. I installed local and setup a new website. I proceeded to enter admin and received the 503 error message again.

I do not have screenshots

last interesting comment. with the new re-install the local application icon shows in the Launchpad and can be launched (as I indicated above), but the application does not show in the Applications folder in the Finder. I have never seen this before. I cannot locate where the application is installed. The library folders and files are where they would be expected. this is odd.

do you know if there are other hidden files or folders for the local application or settings?

local-lightning.log (209.3 KB)

here is the log file. the ‘ransomware attack’ occurred on Tuesday morning, February 9th around 10:30am.

(quick update - I found the application residing in a subfolder in a canon utilities application folder. it had to exist somewhere, but have no idea how it installed in this location)

Thanks for sharing that lightning log!

The main error I see is this one:

  "thread": "main",
  "class": "Process",
  "process": "phpFpm",
  "errno": "ENOENT",
  "code": "ENOENT",
  "syscall": "spawn %%userDataPath%%/lightning-services/php-7.4.1+14/bin/darwin/sbin/php-fpm",
  "path": "%%userDataPath%%/lightning-services/php-7.4.1+14/bin/darwin/sbin/php-fpm",
  "spawnargs": [
    "-F",
    "--prefix",
    "%%site.runData%%/conf/php",
    "--fpm-config",
    "%%site.runData%%/conf/php/php-fpm.conf",
    "-c",
    "%%site.runData%%/conf/php"
  ],
  "level": "error",
  "stack": "Error: spawn %%userDataPath%%/lightning-services/php-7.4.1+14/bin/darwin/sbin/php-fpm ENOENT\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:264:19)\n    at onErrorNT (internal/child_process.js:456:16)\n    at processTicksAndRejections (internal/process/task_queues.js:81:21)",
  "message": "spawn %%userDataPath%%/lightning-services/php-7.4.1+14/bin/darwin/sbin/php-fpm ENOENT",
  "timestamp": "2021-02-09T18:42:23.364Z"

For background Local lighting-services is basically the server software and configuration to run the WordPress site (php/mysql/nginx/apache)

If I’m reading that error correctly, Local is trying to span a process for PHP 7.4.1 but it can’t find it. That makes some sense that you’re seeing a 503 – that’s basically Nginx saying that it didn’t get a response from “upstream” within the timeout. “Upstream” in this case is php.

Have you tried creating a new, plain WordPress site and see if you are able to interact with that site? If you are able to create a new site in Local, then you might try restoring the site to a new one in Local by using the files for the existing site. Take a look at the steps outlined in the “Restoring From Only Local Site files” section of this help doc:

• https://localwp.com/help-docs/how-to-import-a-wordpress-site-into-local/

Here is my update and thanks for your efforts Ben –

1. I met with Acronis today and the following was determined

• the file which was quarantined is php-fpm executable

• location = library>application support > Local > lightning-services > php-7.4.1+14 > bin>Darwin>sbin
  based on your comment, presumably a critical file and preventing php from working. since it was quarantined maybe it is possible that the reinstall was not effective because of this file

2. next step -
   I should consider uninstalling all of Local again, making certain this php-fpm file is also deleted from quarantine and then reinstall again.

• I believe the following deletions of files should completely uninstall Local and related files. Ben if you have more information about this please suggest. I am working on a MacBook
  A. Local application in the Applications folder
  B. User > (hidden) Library > Application Support > Local folder (this Local folder includes about a dozen various folders (adding, blob_storage, cache, … sentry, Session Storage, plus many other json files and settings, preferences, etc.
  C. User > Local sites folders for each website created on Local. I had previously deleted all of these and the one test site there now has not yet been worked on since there was no access to the server

Is there anything else in a Mac which should be moved to trash to fully uninstall Local?

Nice! Thanks for replying with more info about your meeting with Acronis.

I don’t think so, that list seems like the complete list of things Local touches!

At this point I have deleted all related Local files, excluded the Local app, Local Site folder, and the Application Support Local folder from security app review.

I have reinstalled Local, related folders, created a new site, downloaded Apache, WP, and mySQL.

unfortunately, when I open the site to view or admin the browser opens with this message:

"Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."

is there a way to get tech support from LocalWP?

Can you take a screenshot of the “Service Unavailable” message you are seeing?

Also, since this sounds like a server-level issue, can you provide the logs for that site as well as the Local log? That should give us a better idea of what issues Local is having.

One other troubleshooting piece, does it make any difference if you create a “preferred” site or one that has nginx?

Ben and Community -

I wanted to follow up with several updates on this topic.

1. Acronis review and analysis has determined that the activity was a false positive. A quote from Acronis follows:: "After investigation, we figure out that the problem was caused because that php-fpm process was not signed by an Apple or Developer Id certificate and acted as suspiciously and this why was deleted a group of jpeg files.

You can restore the file from quarantine, It’ll be whitelisted after restore."

2. I have not been able to use Local because my system continues to have some form of corruption because of the quarantine activity. I have restored several times, deleted the application, re-installed it and it does not work.

3. Ben - I have not been able to respond to your last request. Unfortunately, I have been super busy and not able to focus on this issue. I would like Local to help solve this issue. I am still interested in licensing the local software. I do not understand your question about ‘preferred’ site. I have no knowledge of nginx. I do not know if Bluehost supports nginx.

I hope in the near future I can dedicate some time to complete this repair process. thanks for the help. I will reach out again.

Steve

Thank you so much for following up on this and letting us know what Acronis found!

We are actually in the process of updating things and signing the lightning services to stay current with newer requirements from Apple. This hasn’t been completed yet, but should be released soon.

Let us know how this goes. I’m curious to know if it fixes things for you.

The preferred site is mostly just a bundled set of server software (php7.3.5/nginx/mysql8.0). Even if Bluehost doesn’t offer nginx, I was mostly curious if using a different bundle of software would mean that those pieces of the stack weren’t quarentined.

If you get things working by restoring the php-fpm service that Acronis mentions, then you don’t need to do anything with the preferred environment.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.