Virus - SMB Port Scanning (Wannacry?)

Virus / Security Risk

The following IPs have been port scanning SMB (TCP/445) (this is windows file share port) and may well be infected by malware or viruses. Can the owners please check software they may have installed recently and run a scan for viruses.

They’ve been logged on @dizzle 's firewall trying to log into 445 (which is SMB or Windows file share port). It’s a known symptom of the WannaCry virus or similar. Some wuggers (from PTAWUG) have also noted the attacks on their anti-virus:

Thanks @dizzle for tracking down the issue. Thanks for PTAWUGgers reporting it to us also.

Scanning IPs

These will be automatically blackholed:

1 Like

Added two more IPs to the list above.

List of host names below

  172.26.60.132	        youknowho2.youknowho.ctwug.za.net
  172.26.22.131	        pc3.shaggydogza.ctwug.za.net
  172.26.137.148	pc4.mafia.ctwug.za.net
  172.18.115.71	        snot.ctwug.za.net
  172.26.148.65	        pc-1.torax.ctwug.za.net
  172.26.152.57	        pc1.arno-3.ctwug.za.net
  172.26.135.41	        pc1.zerocool.ctwug.za.net
  172.26.27.180	        stefpc.redrbk.ctwug.za.net
  172.26.31.229	        stinge-pc.blinksnode.ctwug.za.net
  172.26.27.189	        rb2.redrbk.redrbk.ctwug.za.net
  172.26.30.1	        server.coms.ctwug.za.net
  172.26.148.34	        pc2.kleintjie.ctwug.za.net
  172.26.148.33	        pc1.kleintjie.ctwug.za.net
  172.18.33.14	        rb1.diego.ctwug.za.net, rb.johanvdb.ctwug.za.net
3 Likes

From Kfn:

172.26.22.131/32 - @shaggydogza

172.26.27.180/32 - @redrbk
172.26.27.189/32 also redbrk

172.26.30.1/32 - @Coms

172.26.31.229/32 - @Blinkfs

1 Like

172.18.145.203 pc11.tiffie.ctwug.za.net
172.18.123.241 pc1.wesa.ctwug.za.net

Also infected

Stiaan wats dit, gee bietjie clarity asb

Refer na 1ste post in thread, devices op daai IP’s van jou is baie moontlik infected

Hi is dit d pcs of rbs

PC’s is die likely een vir hierdie geval

I’ve informed snot and Arno

Ok stiaan sal kyk vanaand

@dizzle has run a scan on one of these and it was heavily infected with multiple malwares. It was also not patched. Keep your systems up to date even if only on the wug. There are wsus servers on the wug also.

Or switch to Linux.
:wink:

@spin, what you mean patched

HI
According to Zerocool IP:172.26.135.41 he scanned and deleted his virus. Can anyone please just if he did it successfully.
Thanks

did a scan all well my side

What do you mean complete? @Wolf

Patching the operating system for vulnerabilities. Patches are released by OS maintainers. Basically windows updates

1 Like

@dizzle Post have been updated

1 Like

let me know if there is anything else .coms and dizzle

spin i did what you asked from me . i would appreciate it if you bring me back online thank you