The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,230 other subscribers

Archive for the ‘ESXi6’ Category

« Previous Entries

Large (hundreds) CVE-2021-21974 ESXi VMware based ESXiArgs (Nevada?) ransomware attacks

Posted by jpluimers on 2023/02/04

Shodan.io results for query html:"We hacked your company successfully" title:"How to Restore Your Files"[Wayback/Archive] Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.
Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.
“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said.
“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”
To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.
CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.
CVE-2021-21974 affects the following systems:
  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

[Wayback/Archive] Esxi Ransomware Help and Support Topic (ESXiArgs / .args extension) – Page 2 – Ransomware Help & Tech Support (there are now 4 pages, most victims OVH, likely many more pages to follow)

[Wayback/Archive] How to Disable/Enable the SLP Service on VMware ESXi (76372)

[Wayback/Archive] html:”We hacked your company successfully” title:”How to Restore Your Files” – Shodan Search which resulted in the above image (I tweeted it at [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “@vmiss33”)

Commands used in [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “@vmiss33 I did forget to disable SLP on a patched system, but doing that is easy as per kb.vmware.com/s/article/76372:

/etc/init.d/slpd status
/etc/init.d/slpd stop
esxcli system slp stats get
esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off
chkconfig --list | grep slpd

More links to follow, but I’m away from keyboard for most of the day.

–jeroen

Read the rest of this entry »

Posted in ESXi6, ESXi6.5, ESXi6.7, Power User, Ransomware, Security, Virtualization, VMware, VMware ESXi | Leave a Comment »

VMware ESXI: creating an eagerly zeroed thick disk

Posted by jpluimers on 2022/12/30

For my memory to create a 40 GiB (gibibytes, i.e. sizes in powers of 2 bytes):

# vmkfstools --createvirtualdisk 40G --diskformat eagerzeroedthick ./X9SRI-3F-W10P-EN-MEDIA-DATA.vmdk
Creating disk './X9SRI-3F-W10P-EN-MEDIA-DATA.vmdk' and zeroing it out...
Create: 100% done.

People tend to abbreviate it into what for me reads gibberish:

# vmkfstools -c 40G -d eagerzeroedthick ./X9SRI-3F-W10P-EN-MEDIA-DATA.vmdk
Creating disk './X9SRI-3F-W10P-EN-MEDIA-DATA.vmdk' and zeroing it out...
Create: 100% done.

It will create a descriptor file and flat data file, of which the last is exactly 40 gibibytes size (as 42949672960 / (1024 * 1024 * 1024) == 40):

# ls -l X9SRI-3F-W10P-EN-MEDIA-DATA*.vmdk
-rw-------    1 root     root     42949672960 Nov 16 16:54 X9SRI-3F-W10P-EN-MEDIA-DATA-flat.vmdk
-rw-------    1 root     root           471 Nov 16 16:54 X9SRI-3F-W10P-EN-MEDIA-DATA.vmdk

–jeroen

Posted in ESXi6, ESXi6.5, ESXi6.7, Power User, Virtualization, VMware, VMware ESXi | Leave a Comment »

Converting an existing XP machine to a VMware ESXi  Virtual Machine and having boot issues?

Posted by jpluimers on 2022/05/02

A while ago I wrote about Stop 0x0000007B after converting an existing XP machine to a Virtual Machine (ESXi, Hyper-V, or other).

After this, the machine still had boot issues (a grey or black screen after boot, unless booted via Grub from a rescue CD).

The solution in retrospect was simple, but I only figured out after the fact what the solution had done.

Of course this gave me a facepalm moment, as back in the days, this was exactly the warning I gave everyone when installing Windows XP on ESXi anyway: use a SCSI buslogic based virtual disk, not an IDE or SATA virtual disk.

The reason is that Windows XP does not like the IDE/SATA disk that VMware provides. Windows Vista and up are less of a problem.

This is indeed what my practical solution did:

  • VMware Converter 4.x creates a VM with an IDE/SATA disk (as it cannot talk to the more recent ESXi versions at all because of API changes)
  • VMware Converter 6.x creates a VM with a buslogic SCSI base disk (and it can create it directly on your ESXi rig, though it will use a directory in the root of your data store, even if you prefer it somewhere deeper in the directory tree)

References:

–jeroen

Posted in ESXi6, ESXi6.5, ESXi6.7, Hardware, Power User, SAS/SATA, SCSI, Virtualization, VMware, VMware Converter, VMware ESXi, Windows, Windows XP | Leave a Comment »

VMware ESXi: How to Kill an Unresponsive (Stuck) Virtual Machine | Windows OS Hub

Posted by jpluimers on 2022/04/21

For my link archive: [Wayback] VMware ESXi: How to Kill an Unresponsive (Stuck) Virtual Machine | Windows OS Hub

Commands covered:

  • esxcli vm process list
  • esxcli vm process kill --type=[soft,hard,force] --world-id=WorldNumber
  • esxtop
  • ps
  • kill

–jeroen

Posted in ESXi5, ESXi5.1, ESXi5.5, ESXi6, ESXi6.5, ESXi6.7, ESXi7, Power User, Virtualization, VMware, VMware ESXi | Leave a Comment »

ESXi: various ways to find and view the log files

Posted by jpluimers on 2022/04/20

For my link archive:

–jeroen

Posted in ESXi6, ESXi6.5, ESXi6.7, Power User, Virtualization, VMware, VMware ESXi | Leave a Comment »

« Previous Entries
 
%d bloggers like this: