Monthly Archives: November 2013

X-|

Cisco SRW2016 – reset password cisco switches via serial console port

1. Connect to the console port using terminal emulation parameters (typically 38400, 8, 0, 1, None)
2. Reboot switch (Remove power)
3. Hold down Ctrl U while rebooting
–  Menu will be displayed
4. Select>  [D] Delete file
5. Type startup-config (be sure that this is the ONLY file that you delete – if you delete other files, you will have to reload the firmware)
6. Now, you have erased the configuration file and you should be able to reboot and login with the default username and password.

CryptoLocker

forums: Bleepingcomputer
software: shadowexplorer

How to block this infection from running on other computers on your computer.

You can use Software Restriction Policies to block executables from running when they are located in the %AppData% folder, or any other folder, which this thing launches from. See these articles from MS: http://support.microsoft.com/kb/310791 | http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
This can also be setup in group policy
File paths of the infection are:

C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

So the path rule you want to setup is:

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData.

With the bundling of Zbot with Cryptolocker, it is now also recommend that you create a rule to block executables running from a subfolder of %AppData%. This can be done with this path rule:

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from immediate subfolders of AppData.